[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2017-14482 - Red Hat Customer Portal
From: |
Narendra Joshi |
Subject: |
Re: CVE-2017-14482 - Red Hat Customer Portal |
Date: |
Wed, 27 Sep 2017 00:14:41 +0530 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
Glenn Morris <rgm@gnu.org> writes:
> Eli Zaretskii wrote:
>
>> But they don't tell the whole story: the vulnerability was actually
>> caused by Gnus, MH-E, and perhaps other MUAs who decided to
>> automatically support enriched text, without checking the code first.
>> Otherwise, enriched.el per se has/had no problem whatsoever.
>
> I disagree. Simply opening a file in an unpatched Emacs can run
> arbitrary code with zero prompting. This is a massive security risk that
> is entirely internal to enriched.el (possibly with the 'display property
> more generally). It does get worse that Gnus would trust enriched.el to
> decode mail messages too. But anyone using Emacs from 21.1 to 25.2
I just checked my Emacs version and its
```
GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, X toolkit, Xaw3d scroll
bars) of 2017-09-17
```
Are we going to skip Emacs 26?
> should be aware of this issue, whether or not they use Emacs for mail.
>
--
Narendra Joshi
- Re: CVE-2017-14482 - Red Hat Customer Portal, (continued)
- Re: CVE-2017-14482 - Red Hat Customer Portal, Glenn Morris, 2017/09/25
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/25
- RE: CVE-2017-14482 - Red Hat Customer Portal, Ludwig, Mark, 2017/09/25
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/26
- RE: CVE-2017-14482 - Red Hat Customer Portal, Ludwig, Mark, 2017/09/26
- Re: CVE-2017-14482 - Red Hat Customer Portal, Philipp Stephani, 2017/09/26
- RE: CVE-2017-14482 - Red Hat Customer Portal, Ludwig, Mark, 2017/09/26
- Re: CVE-2017-14482 - Red Hat Customer Portal, Eli Zaretskii, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Eli Zaretskii, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal,
Narendra Joshi <=
- Re: CVE-2017-14482 - Red Hat Customer Portal, Philipp Stephani, 2017/09/26
- Message not available
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/24
- Re: CVE-2017-14482 - Red Hat Customer Portal, ken, 2017/09/22
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/22
- Re: CVE-2017-14482 - Red Hat Customer Portal, Bob Proulx, 2017/09/23
- Message not available
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/24
- Re: CVE-2017-14482 - Red Hat Customer Portal, Maxim Cournoyer, 2017/09/24
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/24
Re: CVE-2017-14482 - Red Hat Customer Portal, Richard Melville, 2017/09/27