help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2017-14482 - Red Hat Customer Portal


From: Narendra Joshi
Subject: Re: CVE-2017-14482 - Red Hat Customer Portal
Date: Wed, 27 Sep 2017 00:14:41 +0530
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

Glenn Morris <rgm@gnu.org> writes:

> Eli Zaretskii wrote:
>
>> But they don't tell the whole story: the vulnerability was actually
>> caused by Gnus, MH-E, and perhaps other MUAs who decided to
>> automatically support enriched text, without checking the code first.
>> Otherwise, enriched.el per se has/had no problem whatsoever.
>
> I disagree. Simply opening a file in an unpatched Emacs can run
> arbitrary code with zero prompting. This is a massive security risk that
> is entirely internal to enriched.el (possibly with the 'display property
> more generally). It does get worse that Gnus would trust enriched.el to
> decode mail messages too. But anyone using Emacs from 21.1 to 25.2
I just checked my Emacs version and its 

```
GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, X toolkit, Xaw3d scroll
bars) of 2017-09-17
```
Are we going to skip Emacs 26? 

> should be aware of this issue, whether or not they use Emacs for mail.
>

-- 
Narendra Joshi



reply via email to

[Prev in Thread] Current Thread [Next in Thread]