Security: Gnus & GNU Emacs 25.2 enriched text remote code execution

Security: Gnus & GNU Emacs 25.2 enriched text remote code execution

[Reiner Steib]

Emacs 25.3 is an emergency release to fix a security vulnerability
that is exploitable remotely in Emacs-based mail clients (such as
Gnus).

Please update to Emacs 25.3 as soon as possible:
http://lists.gnu.org/archive/html/info-gnu-emacs/2017-09/msg00000.html

To work around the bug in Emacs versions before 25.3, put the
following code in your personal or site-wide Emacs init file
(~/.emacs, ~/emacs.d/init.el, site-start.el):

  (eval-after-load "enriched"
    '(defun enriched-decode-display-prop (start end &optional param)
       (list start end)))

See also <http://www.openwall.com/lists/oss-security/2017/09/11/1>.

Bye, Reiner.

Re: Security: Gnus & GNU Emacs 25.2 enriched text remote code execution

[Byung-Hee HWANG (황병희, 黃炳熙)]

In Article <yzsvakodhkv.fsf@marauder.physik.uni-ulm.de>,
 Reiner Steib <reinersteib@gmail.com> writes:

> Emacs 25.3 is an emergency release to fix a security vulnerability
> that is exploitable remotely in Emacs-based mail clients (such as
> Gnus).
>
> Please update to Emacs 25.3 as soon as possible:
> http://lists.gnu.org/archive/html/info-gnu-emacs/2017-09/msg00000.html
>
> To work around the bug in Emacs versions before 25.3, put the
> following code in your personal or site-wide Emacs init file
> (~/.emacs, ~/emacs.d/init.el, site-start.el):
>
>   (eval-after-load "enriched"
>     '(defun enriched-decode-display-prop (start end &optional param)
>        (list start end)))
>
> See also <http://www.openwall.com/lists/oss-security/2017/09/11/1>.

By the way, my emacs version is 23.3. Gnus version Ma Gnus 0.15. Hey i am
dangerous? Please ...

Sincerely, Byung-Hee.

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//

Re: Security: Gnus & GNU Emacs 25.2 enriched text remote code execution

[Bjørn Mork]

soyeomul@doraji.xyz (Byung-Hee HWANG "(황병희, 黃炳熙)") writes:
> In Article <yzsvakodhkv.fsf@marauder.physik.uni-ulm.de>,
>  Reiner Steib <reinersteib@gmail.com> writes:
>
>> Emacs 25.3 is an emergency release to fix a security vulnerability
>> that is exploitable remotely in Emacs-based mail clients (such as
>> Gnus).
>>
>> Please update to Emacs 25.3 as soon as possible:
>> http://lists.gnu.org/archive/html/info-gnu-emacs/2017-09/msg00000.html
>>
>> To work around the bug in Emacs versions before 25.3, put the
>> following code in your personal or site-wide Emacs init file
>> (~/.emacs, ~/emacs.d/init.el, site-start.el):
>>
>>   (eval-after-load "enriched"
>>     '(defun enriched-decode-display-prop (start end &optional param)
>>        (list start end)))
>>
>> See also <http://www.openwall.com/lists/oss-security/2017/09/11/1>.
>
> By the way, my emacs version is 23.3. Gnus version Ma Gnus 0.15. Hey i am
> dangerous? Please ...

Quoting from the announcement referred to above:

  "This vulnerability was introduced in Emacs 19.29." 

So, yes, your emacs version is vulnerable.



Bjørn

Re: Security: Gnus & GNU Emacs 25.2 enriched text remote code execution

[Byung-Hee HWANG (황병희, 黃炳熙)]

In Article <87ingomem8.fsf@miraculix.mork.no>,
 Bjørn Mork <bjorn@mork.no> writes:

> soyeomul@doraji.xyz (Byung-Hee HWANG "(황병희, 黃炳熙)") writes:
>> In Article <yzsvakodhkv.fsf@marauder.physik.uni-ulm.de>,
>>  Reiner Steib <reinersteib@gmail.com> writes:
>>
>>> Emacs 25.3 is an emergency release to fix a security vulnerability
>>> that is exploitable remotely in Emacs-based mail clients (such as
>>> Gnus).
>>>
>>> Please update to Emacs 25.3 as soon as possible:
>>> http://lists.gnu.org/archive/html/info-gnu-emacs/2017-09/msg00000.html
>>>
>>> To work around the bug in Emacs versions before 25.3, put the
>>> following code in your personal or site-wide Emacs init file
>>> (~/.emacs, ~/emacs.d/init.el, site-start.el):
>>>
>>>   (eval-after-load "enriched"
>>>     '(defun enriched-decode-display-prop (start end &optional param)
>>>        (list start end)))
>>>
>>> See also <http://www.openwall.com/lists/oss-security/2017/09/11/1>.
>>
>> By the way, my emacs version is 23.3. Gnus version Ma Gnus 0.15. Hey i am
>> dangerous? Please ...
>
> Quoting from the announcement referred to above:
>
>   "This vulnerability was introduced in Emacs 19.29." 
>
> So, yes, your emacs version is vulnerable.

So i just put the code in ~/.emacs of mine [1]. And my emacs version is
23.3. Still i am dangerous?  

Sincerely, Byung-Hee.

[1] https://raw.githubusercontent.com/soyeomul/Gnus/MaGnus/dot.emacs.el

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Security: Gnus & GNU Emacs 25.2 enriched text remote code execution

[Ted Zlatanov]

On Tue, 12 Sep 2017 20:31:07 +0900 soyeomul@doraji.xyz (Byung-Hee HWANG "(황병희, 黃炳熙)") wrote: 

BH> So i just put the code in ~/.emacs of mine [1]. And my emacs version is
BH> 23.3. Still i am dangerous?  

You're OK. But you should upgrade Emacs to a more recent version.

Ted