[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code executi
From: |
Paul Eggert |
Subject: |
Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution |
Date: |
Tue, 12 Sep 2017 11:18:12 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 |
I got the following response to the announcement on the oss-security
mailing list. Question: what would cause the eval-after-load to be bypassed?
-------- Forwarded Message --------
Subject: Re: [oss-security] GNU Emacs 25.2 enriched text remote code
execution
Date: Tue, 12 Sep 2017 20:08:00 +0200
From: Florian Weimer <address@hidden>
To: Paul Eggert <address@hidden>
CC: address@hidden
* Paul Eggert:
== Mitigation ==
To work around the bug in unfixed versions of Emacs, put the following code in
your personal or site-wide Emacs init file (~/.emacs, ~/emacs.d/init.el,
site-start.el):
;; Mitigate Bug#28350 (security) in Emacs 25.2 and earlier.
(eval-after-load "enriched"
'(defun enriched-decode-display-prop (start end &optional param)
(list start end)))
This does not override the function in all cases when enriched is
loaded. Something like this would be more reliable, but it will of
course slow down the starting of Emacs:
(require 'enriched)
(defun enriched-decode-display-prop (start end &optional param)
(list start end))
- Fwd: Re: [oss-security] GNU Emacs 25.2 enriched text remote code execution,
Paul Eggert <=