[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE-2017-14482 - Red Hat Customer Portal
From: |
Glenn Morris |
Subject: |
Re: CVE-2017-14482 - Red Hat Customer Portal |
Date: |
Sat, 23 Sep 2017 13:18:59 -0400 |
User-agent: |
Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) |
Eli Zaretskii wrote:
> But they don't tell the whole story: the vulnerability was actually
> caused by Gnus, MH-E, and perhaps other MUAs who decided to
> automatically support enriched text, without checking the code first.
> Otherwise, enriched.el per se has/had no problem whatsoever.
I disagree. Simply opening a file in an unpatched Emacs can run
arbitrary code with zero prompting. This is a massive security risk that
is entirely internal to enriched.el (possibly with the 'display property
more generally). It does get worse that Gnus would trust enriched.el to
decode mail messages too. But anyone using Emacs from 21.1 to 25.2
should be aware of this issue, whether or not they use Emacs for mail.
- Re: CVE-2017-14482 - Red Hat Customer Portal, (continued)
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Óscar Fuentes, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Óscar Fuentes, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Eli Zaretskii, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/24
- Re: CVE-2017-14482 - Red Hat Customer Portal, Charles A. Roelli, 2017/09/23
- Re: CVE-2017-14482 - Red Hat Customer Portal, Óscar Fuentes, 2017/09/23
- Re: CVE-2017-14482 - Red Hat Customer Portal, Eli Zaretskii, 2017/09/23
- Re: CVE-2017-14482 - Red Hat Customer Portal,
Glenn Morris <=
- Re: CVE-2017-14482 - Red Hat Customer Portal, Eli Zaretskii, 2017/09/23
- Re: CVE-2017-14482 - Red Hat Customer Portal, Yuri Khan, 2017/09/23
- Re: CVE-2017-14482 - Red Hat Customer Portal, Eli Zaretskii, 2017/09/23
- Re: CVE-2017-14482 - Red Hat Customer Portal, Philipp Stephani, 2017/09/24
- Re: CVE-2017-14482 - Red Hat Customer Portal, Robert Thorpe, 2017/09/24
- Re: CVE-2017-14482 - Red Hat Customer Portal, Eli Zaretskii, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Stefan Monnier, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/29
- Re: CVE-2017-14482 - Red Hat Customer Portal, Eli Zaretskii, 2017/09/29
- Message not available
- Re: CVE-2017-14482 - Red Hat Customer Portal, Emanuel Berg, 2017/09/24