[blfs-book] [BLFS Trac] #9755: emacs-25.3

BLFS Trac via blfs-book blfs-book at lists.linuxfromscratch.org
Fri Sep 15 13:06:45 PDT 2017


#9755: emacs-25.3
-------------------------+-----------------------
 Reporter:  bdubbs@…     |       Owner:  bdubbs@…
     Type:  enhancement  |      Status:  assigned
 Priority:  normal       |   Milestone:  8.2
Component:  BOOK         |     Version:  SVN
 Severity:  normal       |  Resolution:
 Keywords:               |
-------------------------+-----------------------

Comment (by bdubbs@…):

 Changes in Emacs 25.3

 This is an emergency release to fix a security vulnerability in Emacs.

 * Security vulnerability related to Enriched Text mode is removed.

 * Enriched Text mode has its support for decoding 'x-display' disabled.
 This feature allows saving 'display' properties as part of text.
 Emacs 'display' properties support evaluation of arbitrary Lisp forms
 as part of instantiating the property, so decoding 'x-display' is
 vulnerable to executing arbitrary malicious Lisp code included in the
 text (e.g., sent as part of an email message).

 This vulnerability was introduced in Emacs 19.29.  To work around that
 in Emacs versions before 25.3, append the following to your ~/.emacs
 init file:
 {{{
   (eval-after-load "enriched"
     '(defun enriched-decode-display-prop (start end &optional param)
        (list start end)))
 }}}
 * Gnus no longer supports "richtext" and "enriched" inline MIME objects.
   This support was disabled to avoid evaluation of arbitrary Lisp code
   contained in email messages and news articles.

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/9755#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch


More information about the blfs-book mailing list