From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/87662
Path: news.gmane.org!.POSTED!not-for-mail
From: =?utf-8?Q?Bj=C3=B8rn_Mork?= <bjorn@mork.no>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: Security: Gnus & GNU Emacs 25.2 enriched text remote code execution
Date: Tue, 12 Sep 2017 11:48:47 +0200
Organization: m
Message-ID: <87ingomem8.fsf@miraculix.mork.no>
References: <yzsvakodhkv.fsf@marauder.physik.uni-ulm.de>
	<yw.u6fdf4e0b8ecd.1505189512.fsf@lambda.alex.chromebook>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: blaine.gmane.org 1505209835 15114 195.159.176.226 (12 Sep 2017 09:50:35 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Tue, 12 Sep 2017 09:50:35 +0000 (UTC)
User-Agent: Gnus/5.130015 (Ma Gnus v0.15) Emacs/24.5 (gnu/linux)
Cc: ding@gnus.org
To: soyeomul@doraji.xyz (Byung-Hee HWANG =?utf-8?B?Iijtmanrs5HtnawsIA==?=
 =?utf-8?B?6buD54Kz54aZKSI=?=)
Original-X-From: ding-owner+m35878@lists.math.uh.edu Tue Sep 12 11:50:28 2017
Return-path: <ding-owner+m35878@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from mxfilter-048034.atla03.us.yomura.com ([107.189.48.34])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <ding-owner+m35878@lists.math.uh.edu>)
	id 1drhpV-0002Xs-M6
	for ding-account@gmane.org; Tue, 12 Sep 2017 11:50:05 +0200
X-Yomura-MXScrub: 1.0
Original-Received: from lists1.math.uh.edu (unknown [129.7.128.208])
	by mxfilter-048034.atla03.us.yomura.com (Halon) with ESMTPS
	id b7bf9a6a-979f-11e7-9d96-b499baa2b07a;
	Tue, 12 Sep 2017 09:49:49 +0000 (UTC)
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by lists1.math.uh.edu with smtp (Exim 4.87)
	(envelope-from <ding-owner+M35878@lists.math.uh.edu>)
	id 1drhoW-0002eD-1G; Tue, 12 Sep 2017 04:49:04 -0500
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by lists1.math.uh.edu with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.87)
	(envelope-from <junkmaster@quimby.gnus.org>)
	id 1drhoT-0002dd-Ga
	for ding@lists.math.uh.edu; Tue, 12 Sep 2017 04:49:01 -0500
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtps (TLSv1.2:DHE-RSA-AES128-SHA:128)
	(Exim 4.87)
	(envelope-from <junkmaster@quimby.gnus.org>)
	id 1drhoR-0001Vk-5M
	for ding@lists.math.uh.edu; Tue, 12 Sep 2017 04:49:01 -0500
Original-Received: from canardo.mork.no ([148.122.252.1])
	by quimby.gnus.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <bjorn@mork.no>)
	id 1drhoP-0002Lw-By
	for ding@gnus.org; Tue, 12 Sep 2017 11:48:57 +0200
Original-Received: from miraculix.mork.no ([IPv6:2a02:2121:30b:f9d4:3850:b3ff:feff:6529])
	(authenticated bits=0)
	by canardo.mork.no (8.15.2/8.15.2) with ESMTPSA id v8C9mqb5022315
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
	Tue, 12 Sep 2017 11:48:54 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mork.no; s=b;
	t=1505209735; bh=9xMv6Do/espSJCvL8lK9746VRNgyhVKv9go9UlCkQe8=;
	h=From:To:Cc:Subject:References:Date:Message-ID:From;
	b=aaUZYm1sYNMf9syMcmFQEtG7DubbF0HkAIR1wnxNaVIHbnRwRK6xP0KjLuMBDHXlD
	 TdoA6Rw9mrjDRkNPcRGLUE8m2EJzOkY/IEnYKEOqNHflgyu0gJUo4D3hgArO8nFj24
	 JjYj1jSUpFLOHJ0fEkQEP2RhJx+8X25npmZEqt1Q=
Original-Received: from bjorn by miraculix.mork.no with local (Exim 4.89)
	(envelope-from <bjorn@mork.no>)
	id 1drhoF-00039W-3h; Tue, 12 Sep 2017 11:48:47 +0200
In-Reply-To: <yw.u6fdf4e0b8ecd.1505189512.fsf@lambda.alex.chromebook>
	("Byung-Hee HWANG =?utf-8?B?XCIo7Zmp67OR7Z2sLCDpu4PngrPnhpkpXCIiJ3M=?=
 message of "Tue, 12 Sep 2017
	13:14:50 +0900")
X-Virus-Scanned: clamav-milter 0.99.2 at canardo
X-Virus-Status: Clean
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:87662
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/87662>

soyeomul@doraji.xyz (Byung-Hee HWANG "(=ED=99=A9=EB=B3=91=ED=9D=AC, =E9=BB=
=83=E7=82=B3=E7=86=99)") writes:
> In Article <yzsvakodhkv.fsf@marauder.physik.uni-ulm.de>,
>  Reiner Steib <reinersteib@gmail.com> writes:
>
>> Emacs 25.3 is an emergency release to fix a security vulnerability
>> that is exploitable remotely in Emacs-based mail clients (such as
>> Gnus).
>>
>> Please update to Emacs 25.3 as soon as possible:
>> http://lists.gnu.org/archive/html/info-gnu-emacs/2017-09/msg00000.html
>>
>> To work around the bug in Emacs versions before 25.3, put the
>> following code in your personal or site-wide Emacs init file
>> (~/.emacs, ~/emacs.d/init.el, site-start.el):
>>
>>   (eval-after-load "enriched"
>>     '(defun enriched-decode-display-prop (start end &optional param)
>>        (list start end)))
>>
>> See also <http://www.openwall.com/lists/oss-security/2017/09/11/1>.
>
> By the way, my emacs version is 23.3. Gnus version Ma Gnus 0.15. Hey i am
> dangerous? Please ...

Quoting from the announcement referred to above:

  "This vulnerability was introduced in Emacs 19.29."=20

So, yes, your emacs version is vulnerable.



Bj=C3=B8rn