This patch fixes a remote code execution vulnerability reported here: https://bugs.gnu.org/28350 http://www.openwall.com/lists/oss-security/2017/09/11/1 From 9ad0fcc54442a9a01d41be19880250783426db70 Mon Sep 17 00:00:00 2001 From: Lars Ingebrigtsen Date: Fri, 8 Sep 2017 20:23:31 -0700 Subject: Remove unsafe enriched mode translations * lisp/gnus/mm-view.el (mm-inline-text): Do not worry about enriched or richtext type. * lisp/textmodes/enriched.el (enriched-translations): Remove translations for FUNCTION, display (Bug#28350). (enriched-handle-display-prop, enriched-decode-display-prop): Remove. --- lisp/gnus/mm-view.el | 4 ---- lisp/textmodes/enriched.el | 32 -------------------------------- 2 files changed, 36 deletions(-) diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el index e5859d0..77ad271 100644 --- a/lisp/gnus/mm-view.el +++ b/lisp/gnus/mm-view.el @@ -383,10 +383,6 @@ (goto-char (point-max)))) (save-restriction (narrow-to-region b (point)) - (when (member type '("enriched" "richtext")) - (set-text-properties (point-min) (point-max) nil) - (ignore-errors - (enriched-decode (point-min) (point-max)))) (mm-handle-set-undisplayer handle `(lambda () diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el index beb6c6d..a8f0d38 100644 --- a/lisp/textmodes/enriched.el +++ b/lisp/textmodes/enriched.el @@ -117,12 +117,7 @@ expression, which is evaluated to get the string to insert.") (full "flushboth") (center "center")) (PARAMETER (t "param")) ; Argument of preceding annotation - ;; The following are not part of the standard: - (FUNCTION (enriched-decode-foreground "x-color") - (enriched-decode-background "x-bg-color") - (enriched-decode-display-prop "x-display")) (read-only (t "x-read-only")) - (display (nil enriched-handle-display-prop)) (unknown (nil format-annotate-value)) ; (font-size (2 "bigger") ; unimplemented ; (-2 "smaller")) @@ -477,32 +472,5 @@ Return value is \(begin end name positive-p), or nil if none was found." (message "Warning: no color specified for ") nil)) -;;; Handling the `display' property. - - -(defun enriched-handle-display-prop (old new) - "Return a list of annotations for a change in the `display' property. -OLD is the old value of the property, NEW is the new value. Value -is a list `(CLOSE OPEN)', where CLOSE is a list of annotations to -close and OPEN a list of annotations to open. Each of these lists -has the form `(ANNOTATION PARAM ...)'." - (let ((annotation "x-display") - (param (prin1-to-string (or old new)))) - (if (null old) - (cons nil (list (list annotation param))) - (cons (list (list annotation param)) nil)))) - -(defun enriched-decode-display-prop (start end &optional param) - "Decode a `display' property for text between START and END. -PARAM is a `' found for the property. -Value is a list `(START END SYMBOL VALUE)' with START and END denoting -the range of text to assign text property SYMBOL with value VALUE." - (let ((prop (when (stringp param) - (condition-case () - (car (read-from-string param)) - (error nil))))) - (unless prop - (message "Warning: invalid parameter %s" param)) - (list start end 'display prop))) ;;; enriched.el ends here