Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Sep 2017 20:08:00 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Paul Eggert <eggert@...ucla.edu>
Cc: oss-security@...ts.openwall.com
Subject: Re: GNU Emacs 25.2 enriched text remote code execution

* Paul Eggert:

> == Mitigation ==
>
> To work around the bug in unfixed versions of Emacs, put the following code in 
> your personal or site-wide Emacs init file (~/.emacs, ~/emacs.d/init.el, 
> site-start.el):
>
>    ;; Mitigate Bug#28350 (security) in Emacs 25.2 and earlier.
>    (eval-after-load "enriched"
>      '(defun enriched-decode-display-prop (start end &optional param)
>         (list start end)))

This does not override the function in all cases when enriched is
loaded.  Something like this would be more reliable, but it will of
course slow down the starting of Emacs:

(require 'enriched)
(defun enriched-decode-display-prop (start end &optional param)
  (list start end))

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.