Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 10 Sep 2017 23:56:20 -0700
From: Paul Eggert <eggert@...ucla.edu>
To: oss-security@...ts.openwall.com
Subject: GNU Emacs 25.2 enriched text remote code execution

GNU Emacs is an extensible, customizable, free/libre text editor and software 
environment.  When Emacs renders MIME text/enriched data (Internet RFC 1896), it 
is vulnerable to arbitrary code execution. Since Emacs-based mail clients decode 
"Content-Type: text/enriched", this code is exploitable remotely. This bug 
affects GNU Emacs versions 19.29 through 25.2.

Although we know no efforts to exploit this in the wild, exploitation is easy.

== Details ==

https://bugs.gnu.org/28350

== Patch ==

https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70

== Mitigation ==

To work around the bug in unfixed versions of Emacs, put the following code in 
your personal or site-wide Emacs init file (~/.emacs, ~/emacs.d/init.el, 
site-start.el):

   ;; Mitigate Bug#28350 (security) in Emacs 25.2 and earlier.
   (eval-after-load "enriched"
     '(defun enriched-decode-display-prop (start end &optional param)
        (list start end)))

and avoid 'emacs -Q' and similar options that bypass normal initialization.

== Timeline ==

2017-09-04. Bug reported to the Emacs bug tracker by Charles A. Roelli.

2017-09-07. POC for remote code execution sent to the maintainers of Emacs and 
Gnus (Reiner Steib <Reiner.Steib@....de>, private mail).

2017-09-08. Patch (by Lars Ingebrigtsen <larsi@...s.org>) to disable the 
problematic code and mitigation (private mail).

2017-09-09. Patch committed in main development repository.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ