Re: CVE-2017-14482 - Red Hat Customer Portal

[Eli Zaretskii]

> From: Glenn Morris <rgm@gnu.org>
> Cc: help-gnu-emacs@gnu.org
> Date: Sat, 23 Sep 2017 13:18:59 -0400
> 
> Eli Zaretskii wrote:
> 
> > But they don't tell the whole story: the vulnerability was actually
> > caused by Gnus, MH-E, and perhaps other MUAs who decided to
> > automatically support enriched text, without checking the code first.
> > Otherwise, enriched.el per se has/had no problem whatsoever.
> 
> I disagree. Simply opening a file in an unpatched Emacs can run
> arbitrary code with zero prompting.

How did that file end up in a directory you can access?  Why are you
visiting a file about which you know nothing at all?

And how is that different from a Lisp package that creates display
properties out of thin air?

> This is a massive security risk that is entirely internal to
> enriched.el (possibly with the 'display property more generally).

More generally, Emacs itself.  Even more generally, any software you
use.

> It does get worse that Gnus would trust enriched.el to decode mail
> messages too. But anyone using Emacs from 21.1 to 25.2 should be
> aware of this issue, whether or not they use Emacs for mail.

If you use software you didn't write, you are at risk.  If you don't
want the risk of ending up in a car crash, the only way is not to
leave home.