Fix enriched.el code execution (Bug#28350)

* etc/NEWS: Document the vulnerability and its resolution.
Include a workaround.  Suggested by Charles A. Roelli
<charles@aurox.ch>.
* lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of
"enriched" and "richtext" MIME objects.  Suggested by Lars
Ingebrigtsen <larsi@gnus.org>.
* lisp/textmodes/enriched.el (enriched-decode-display-prop): Don't
produce 'display' properties.  (Bug#28350)

3 files changed, 36 insertions, 5 deletions

diff --git a/etc/NEWS b/etc/NEWS
index 539e56e42a0..013b7dc8c9c 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -16,6 +16,32 @@ You can narrow news to a specific version by calling 'view-emacs-news'
 with a prefix argument or by typing C-u C-h C-n.
 
 
+* Changes in Emacs 25.3
+
+This is an emergency release to fix a security vulnerability in Emacs.
+
+** Security vulnerability related to Enriched Text mode is removed.
+
+*** Enriched Text mode has its support for decoding 'x-display' disabled.
+This feature allows saving 'display' properties as part of text.
+Emacs 'display' properties support evaluation of arbitrary Lisp forms
+as part of instantiating the property, so decoding 'x-display' is
+vulnerable to executing arbitrary malicious Lisp code included in the
+text (e.g., sent as part of an email message).
+
+This vulnerability was introduced in Emacs 19.29.  To work around that
+in Emacs versions before 25.3, append the following to your ~/.emacs
+init file:
+
+  (eval-after-load "enriched"
+    '(defun enriched-decode-display-prop (start end &optional param)
+       (list start end)))
+
+*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
+This support was disabled to avoid evaluation of arbitrary Lisp code
+contained in email messages and news articles.
+
+
 * Changes in Emacs 25.2
 
 This is mainly a bug-fix release, but there are some other changes.
diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index e5859d002cf..1b4c9526e21 100644
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -383,10 +383,12 @@
 	(goto-char (point-max))))
     (save-restriction
       (narrow-to-region b (point))
-      (when (member type '("enriched" "richtext"))
-        (set-text-properties (point-min) (point-max) nil)
-	(ignore-errors
-	  (enriched-decode (point-min) (point-max))))
+      ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+      ;; forms in display properties supported by enriched.el.
+      ;; (when (member type '("enriched" "richtext"))
+      ;;   (set-text-properties (point-min) (point-max) nil)
+      ;; 	(ignore-errors
+      ;; 	  (enriched-decode (point-min) (point-max))))
       (mm-handle-set-undisplayer
        handle
        `(lambda ()
diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el
index beb6c6dda39..bdfd5d68e32 100644
--- a/lisp/textmodes/enriched.el
+++ b/lisp/textmodes/enriched.el
@@ -503,6 +503,9 @@ the range of text to assign text property SYMBOL with value VALUE."
 		  (error nil)))))
     (unless prop
       (message "Warning: invalid <x-display> parameter %s" param))
-    (list start end 'display prop)))
+    ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+    ;; forms in display properties stored within enriched text.
+    ;; (list start end 'display prop)))
+    (list start end)))
 
 ;;; enriched.el ends here