--- /dev/null
--- /dev/null
++From 4089d95cb69c449bb92a68b22ebb69cc4e4cb26b Mon Sep 17 00:00:00 2001
++From: Lars Ingebrigtsen <larsi@gnus.org>
++Date: Fri, 8 Sep 2017 20:23:31 -0700
++Subject: A remote execution exploit via enriched text has been blocked
++
++This upstream patch has been incorporated to fix the problem:
++
++ Remove unsafe enriched mode translations
++
++ * lisp/gnus/mm-view.el (mm-inline-text):
++ Do not worry about enriched or richtext type.
++ * lisp/textmodes/enriched.el (enriched-translations):
++ Remove translations for FUNCTION, display (Bug#28350).
++ (enriched-handle-display-prop, enriched-decode-display-prop): Remove.
++
++Origin: backport, commit: 9ad0fcc54442a9a01d41be19880250783426db70)
++Bug: https://bugs.gnu.org/28350
++Bug-Debian: http://bugs.debian.org/875447
++Forwarded: not-needed
++---
++ lisp/gnus/mm-view.el | 4 ----
++ lisp/textmodes/enriched.el | 32 --------------------------------
++ 2 files changed, 36 deletions(-)
++
++diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
++index e5859d002cf..77ad271d1da 100644
++--- a/lisp/gnus/mm-view.el
+++++ b/lisp/gnus/mm-view.el
++@@ -383,10 +383,6 @@ mm-inline-text
++ (goto-char (point-max))))
++ (save-restriction
++ (narrow-to-region b (point))
++- (when (member type '("enriched" "richtext"))
++- (set-text-properties (point-min) (point-max) nil)
++- (ignore-errors
++- (enriched-decode (point-min) (point-max))))
++ (mm-handle-set-undisplayer
++ handle
++ `(lambda ()
++diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el
++index beb6c6dda39..a8f0d3891a8 100644
++--- a/lisp/textmodes/enriched.el
+++++ b/lisp/textmodes/enriched.el
++@@ -117,12 +117,7 @@ enriched-translations
++ (full "flushboth")
++ (center "center"))
++ (PARAMETER (t "param")) ; Argument of preceding annotation
++- ;; The following are not part of the standard:
++- (FUNCTION (enriched-decode-foreground "x-color")
++- (enriched-decode-background "x-bg-color")
++- (enriched-decode-display-prop "x-display"))
++ (read-only (t "x-read-only"))
++- (display (nil enriched-handle-display-prop))
++ (unknown (nil format-annotate-value))
++ ; (font-size (2 "bigger") ; unimplemented
++ ; (-2 "smaller"))
++@@ -477,32 +472,5 @@ enriched-decode-background
++ (message "Warning: no color specified for <x-bg-color>")
++ nil))
++ \f
++-;;; Handling the `display' property.
++-
++-
++-(defun enriched-handle-display-prop (old new)
++- "Return a list of annotations for a change in the `display' property.
++-OLD is the old value of the property, NEW is the new value. Value
++-is a list `(CLOSE OPEN)', where CLOSE is a list of annotations to
++-close and OPEN a list of annotations to open. Each of these lists
++-has the form `(ANNOTATION PARAM ...)'."
++- (let ((annotation "x-display")
++- (param (prin1-to-string (or old new))))
++- (if (null old)
++- (cons nil (list (list annotation param)))
++- (cons (list (list annotation param)) nil))))
++-
++-(defun enriched-decode-display-prop (start end &optional param)
++- "Decode a `display' property for text between START and END.
++-PARAM is a `<param>' found for the property.
++-Value is a list `(START END SYMBOL VALUE)' with START and END denoting
++-the range of text to assign text property SYMBOL with value VALUE."
++- (let ((prop (when (stringp param)
++- (condition-case ()
++- (car (read-from-string param))
++- (error nil)))))
++- (unless prop
++- (message "Warning: invalid <x-display> parameter %s" param))
++- (list start end 'display prop)))
++
++ ;;; enriched.el ends here
projects / emacs.git / commitdiff