oss-sec mailing list archives
GNU Emacs 25.2 enriched text remote code execution
From: Paul Eggert <eggert () cs ucla edu>
Date: Sun, 10 Sep 2017 23:56:20 -0700
GNU Emacs is an extensible, customizable, free/libre text editor and software environment. When Emacs renders MIME text/enriched data (Internet RFC 1896), it is vulnerable to arbitrary code execution. Since Emacs-based mail clients decode "Content-Type: text/enriched", this code is exploitable remotely. This bug affects GNU Emacs versions 19.29 through 25.2.
Although we know no efforts to exploit this in the wild, exploitation is easy. == Details == https://bugs.gnu.org/28350 == Patch == https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70 == Mitigation ==To work around the bug in unfixed versions of Emacs, put the following code in your personal or site-wide Emacs init file (~/.emacs, ~/emacs.d/init.el, site-start.el):
;; Mitigate Bug#28350 (security) in Emacs 25.2 and earlier. (eval-after-load "enriched" '(defun enriched-decode-display-prop (start end &optional param) (list start end))) and avoid 'emacs -Q' and similar options that bypass normal initialization. == Timeline == 2017-09-04. Bug reported to the Emacs bug tracker by Charles A. Roelli.2017-09-07. POC for remote code execution sent to the maintainers of Emacs and Gnus (Reiner Steib <Reiner.Steib () gmx de>, private mail).
2017-09-08. Patch (by Lars Ingebrigtsen <larsi () gnus org>) to disable the problematic code and mitigation (private mail).
2017-09-09. Patch committed in main development repository.
Current thread:
- GNU Emacs 25.2 enriched text remote code execution Paul Eggert (Sep 11)
- Re: GNU Emacs 25.2 enriched text remote code execution Salvatore Bonaccorso (Sep 11)
- Re: GNU Emacs 25.2 enriched text remote code execution Salvatore Bonaccorso (Sep 11)
- Re: GNU Emacs 25.2 enriched text remote code execution Salvatore Bonaccorso (Sep 14)
- Re: GNU Emacs 25.2 enriched text remote code execution Salvatore Bonaccorso (Sep 11)
- Re: GNU Emacs 25.2 enriched text remote code execution Florian Weimer (Sep 12)
- Re: GNU Emacs 25.2 enriched text remote code execution Salvatore Bonaccorso (Sep 11)