From d07fd34722b84ae2c407f195c82d7632a94de704 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Tue, 12 Sep 2017 12:55:29 -0700 Subject: [PATCH] * etc/NEWS.25: Copy from emacs-25 etc/NEWS. --- etc/NEWS.25 | 39 +++++++++++++++++---------------------- 1 file changed, 17 insertions(+), 22 deletions(-) diff --git a/etc/NEWS.25 b/etc/NEWS.25 index db448fd61ac..be04b5fcdc3 100644 --- a/etc/NEWS.25 +++ b/etc/NEWS.25 @@ -18,33 +18,28 @@ with a prefix argument or by typing C-u C-h C-n. * Changes in Emacs 25.3 -This is mainly a release to fix security-relevant bugs. +This is an emergency release to fix a security vulnerability in Emacs. -** Enriched text mode no longer supports the 'FUNCTION' and 'display' -translations, and Gnus no longer processes enriched text when -inlining. This fixes bugs introduced in Emacs 19.29. To work around -these bugs in Emacs versions 19.29 through 25.2, append the following -to your ~/.emacs file: +** Security vulnerability related to Enriched Text mode is removed. - (provide 'enriched) - (defun enriched-mode (&optional arg)) - (defun enriched-decode (from to)) +*** Enriched Text mode has its support for decoding 'x-display' disabled. +This feature allows saving 'display' properties as part of text. +Emacs 'display' properties support evaluation of arbitrary Lisp forms +as part of instantiating the property, so decoding 'x-display' is +vulnerable to executing arbitrary malicious Lisp code included in the +text (e.g., sent as part of an email message). -Thanks to Charles A. Roelli for reporting this bug; see: -https://bugs.gnu.org/28350 +This vulnerability was introduced in Emacs 21.1. To work around that +in Emacs versions before 25.3, append the following to your ~/.emacs +init file: -** TLS/SSL connections no longer fall back on the openssl s_client -command to set up SSL connections in some hopefully-unlikely cases. -This fixes a bug introduced in Emacs 22.1. To work around this bug in -Emacs versions 22.1 through 25.2, append the following to your -~/.emacs file: + (eval-after-load "enriched" + '(defun enriched-decode-display-prop (start end &optional param) + (list start end))) - (setq tls-program '("gnutls-cli --x509cafile %t -p %p %h")) - -You may need to omit the "--x509cafile %t" on older installations. - -Thanks to Kurt Roeckx for reporting this bug to Debian; see: -https://bugs.debian.org/766397 +*** Gnus no longer supports "richtext" and "enriched" inline MIME objects. +This support was disabled to avoid evaluation of arbitrary Lisp code +contained in email messages and news articles. * Changes in Emacs 25.2 -- 2.39.5