From 1b8690b95f678d247e6b5c7209d3eaba4720eb53 Mon Sep 17 00:00:00 2001 From: Eli Zaretskii Date: Tue, 12 Sep 2017 20:58:44 +0200 Subject: [PATCH] Fix enriched.el code execution (Bug#28350) * etc/NEWS: Document the vulnerability and its resolution. Include a workaround. Suggested by Charles A. Roelli . * lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of "enriched" and "richtext" MIME objects. Suggested by Lars Ingebrigtsen . * lisp/textmodes/enriched.el (enriched-decode-display-prop): Don't produce 'display' properties. (Bug#28350) --- etc/NEWS | 26 ++++++++++++++++++++++++++ lisp/gnus/mm-view.el | 10 ++++++---- lisp/textmodes/enriched.el | 5 ++++- 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/etc/NEWS b/etc/NEWS index 539e56e42a0..013b7dc8c9c 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -15,6 +15,32 @@ and NEWS.1-17 for changes in older Emacs versions. You can narrow news to a specific version by calling 'view-emacs-news' with a prefix argument or by typing C-u C-h C-n. + +* Changes in Emacs 25.3 + +This is an emergency release to fix a security vulnerability in Emacs. + +** Security vulnerability related to Enriched Text mode is removed. + +*** Enriched Text mode has its support for decoding 'x-display' disabled. +This feature allows saving 'display' properties as part of text. +Emacs 'display' properties support evaluation of arbitrary Lisp forms +as part of instantiating the property, so decoding 'x-display' is +vulnerable to executing arbitrary malicious Lisp code included in the +text (e.g., sent as part of an email message). + +This vulnerability was introduced in Emacs 19.29. To work around that +in Emacs versions before 25.3, append the following to your ~/.emacs +init file: + + (eval-after-load "enriched" + '(defun enriched-decode-display-prop (start end &optional param) + (list start end))) + +*** Gnus no longer supports "richtext" and "enriched" inline MIME objects. +This support was disabled to avoid evaluation of arbitrary Lisp code +contained in email messages and news articles. + * Changes in Emacs 25.2 diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el index e5859d002cf..1b4c9526e21 100644 --- a/lisp/gnus/mm-view.el +++ b/lisp/gnus/mm-view.el @@ -383,10 +383,12 @@ (goto-char (point-max)))) (save-restriction (narrow-to-region b (point)) - (when (member type '("enriched" "richtext")) - (set-text-properties (point-min) (point-max) nil) - (ignore-errors - (enriched-decode (point-min) (point-max)))) + ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp + ;; forms in display properties supported by enriched.el. + ;; (when (member type '("enriched" "richtext")) + ;; (set-text-properties (point-min) (point-max) nil) + ;; (ignore-errors + ;; (enriched-decode (point-min) (point-max)))) (mm-handle-set-undisplayer handle `(lambda () diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el index beb6c6dda39..bdfd5d68e32 100644 --- a/lisp/textmodes/enriched.el +++ b/lisp/textmodes/enriched.el @@ -503,6 +503,9 @@ the range of text to assign text property SYMBOL with value VALUE." (error nil))))) (unless prop (message "Warning: invalid parameter %s" param)) - (list start end 'display prop))) + ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp + ;; forms in display properties stored within enriched text. + ;; (list start end 'display prop))) + (list start end))) ;;; enriched.el ends here -- 2.39.2