Re: CVE-2017-14482 - Red Hat Customer Portal

[Philipp Stephani]

Narendra Joshi <narendraj9@gmail.com> schrieb am Di., 26. Sep. 2017 um
20:43 Uhr:

> Glenn Morris <rgm@gnu.org> writes:
>
> > Eli Zaretskii wrote:
> >
> >> But they don't tell the whole story: the vulnerability was actually
> >> caused by Gnus, MH-E, and perhaps other MUAs who decided to
> >> automatically support enriched text, without checking the code first.
> >> Otherwise, enriched.el per se has/had no problem whatsoever.
> >
> > I disagree. Simply opening a file in an unpatched Emacs can run
> > arbitrary code with zero prompting. This is a massive security risk that
> > is entirely internal to enriched.el (possibly with the 'display property
> > more generally). It does get worse that Gnus would trust enriched.el to
> > decode mail messages too. But anyone using Emacs from 21.1 to 25.2
> I just checked my Emacs version and its
>
> ```
> GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, X toolkit, Xaw3d scroll
> bars) of 2017-09-17
> ```
> Are we going to skip Emacs 26?
>

You're building from master. That already has the major version after the
next release version, since changes pushed to master will end up in Emacs
27.