Merge changes from 25.3 emergency release

9 files changed, 78 insertions, 26 deletions

diff --git a/ChangeLog.2 b/ChangeLog.2
index 4b266e1e952..83a190dbad6 100644
--- a/ChangeLog.2
+++ b/ChangeLog.2
@@ -1,3 +1,17 @@
+2017-09-11  Eli Zaretskii  <eliz@gnu.org>
+
+	* etc/NEWS: Document the vulnerability and its resolution.
+	Include a workaround.  Suggested by Charles A. Roelli
+	<charles@aurox.ch>.
+
+	* lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of
+	"enriched" and "richtext" MIME objects.  Suggested by Lars
+	Ingebrigtsen <larsi@gnus.org>.
+
+	* lisp/textmodes/enriched.el (enriched-decode-display-prop):
+	Don't produce 'display' properties.  (Bug#28350)
+
+
 2017-04-20  Nicolas Petton  <nicolas@petton.fr>
 
 	* Version 25.2 released.
diff --git a/README b/README
index 3224d6daf73..8c68e30d578 100644
--- a/README
+++ b/README
@@ -2,7 +2,7 @@ Copyright (C) 2001-2017 Free Software Foundation, Inc.
 See the end of the file for license conditions.
 
 
-This directory tree holds version 25.2.50 of GNU Emacs, the extensible,
+This directory tree holds version 25.3 of GNU Emacs, the extensible,
 customizable, self-documenting real-time display editor.
 
 The file INSTALL in this directory says how to build and install GNU
diff --git a/configure.ac b/configure.ac
index 2ccfca4336c..b0d3be77270 100644
--- a/configure.ac
+++ b/configure.ac
@@ -23,7 +23,7 @@ dnl  along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.
 
 AC_PREREQ(2.65)
 dnl Note this is parsed by (at least) make-dist and lisp/cedet/ede/emacs.el.
-AC_INIT(GNU Emacs, 25.2.50, bug-gnu-emacs@gnu.org)
+AC_INIT(GNU Emacs, 25.3, bug-gnu-emacs@gnu.org)
 
 dnl Set emacs_config_options to the options of 'configure', quoted for the shell,
 dnl and then quoted again for a C string.  Separate options with spaces.
diff --git a/etc/HISTORY b/etc/HISTORY
index ad38b3262d2..301ba33b97e 100644
--- a/etc/HISTORY
+++ b/etc/HISTORY
@@ -211,6 +211,8 @@ GNU Emacs 25.1 (2016-09-16) emacs-25.1
 
 GNU Emacs 25.2 (2017-04-20) emacs-25.2
 
+GNU Emacs 25.3 (2017-09-11) emacs-25.3
+
 
 ----------------------------------------------------------------------
 This file is part of GNU Emacs.
diff --git a/etc/NEWS b/etc/NEWS
index db448fd61ac..013b7dc8c9c 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -18,33 +18,28 @@ with a prefix argument or by typing C-u C-h C-n.
 
 * Changes in Emacs 25.3
 
-This is mainly a release to fix security-relevant bugs.
+This is an emergency release to fix a security vulnerability in Emacs.
 
-** Enriched text mode no longer supports the 'FUNCTION' and 'display'
-translations, and Gnus no longer processes enriched text when
-inlining.  This fixes bugs introduced in Emacs 19.29.  To work around
-these bugs in Emacs versions 19.29 through 25.2, append the following
-to your ~/.emacs file:
+** Security vulnerability related to Enriched Text mode is removed.
 
-  (provide 'enriched)
-  (defun enriched-mode (&optional arg))
-  (defun enriched-decode (from to))
+*** Enriched Text mode has its support for decoding 'x-display' disabled.
+This feature allows saving 'display' properties as part of text.
+Emacs 'display' properties support evaluation of arbitrary Lisp forms
+as part of instantiating the property, so decoding 'x-display' is
+vulnerable to executing arbitrary malicious Lisp code included in the
+text (e.g., sent as part of an email message).
 
-Thanks to Charles A. Roelli for reporting this bug; see:
-https://bugs.gnu.org/28350
+This vulnerability was introduced in Emacs 19.29.  To work around that
+in Emacs versions before 25.3, append the following to your ~/.emacs
+init file:
 
-** TLS/SSL connections no longer fall back on the openssl s_client
-command to set up SSL connections in some hopefully-unlikely cases.
-This fixes a bug introduced in Emacs 22.1.  To work around this bug in
-Emacs versions 22.1 through 25.2, append the following to your
-~/.emacs file:
+  (eval-after-load "enriched"
+    '(defun enriched-decode-display-prop (start end &optional param)
+       (list start end)))
 
-  (setq tls-program '("gnutls-cli --x509cafile %t -p %p %h"))
-
-You may need to omit the "--x509cafile %t" on older installations.
-
-Thanks to Kurt Roeckx for reporting this bug to Debian; see:
-https://bugs.debian.org/766397
+*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
+This support was disabled to avoid evaluation of arbitrary Lisp code
+contained in email messages and news articles.
 
 
 * Changes in Emacs 25.2
diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index 77ad271d1da..1b4c9526e21 100644
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -383,6 +383,12 @@
 	(goto-char (point-max))))
     (save-restriction
       (narrow-to-region b (point))
+      ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+      ;; forms in display properties supported by enriched.el.
+      ;; (when (member type '("enriched" "richtext"))
+      ;;   (set-text-properties (point-min) (point-max) nil)
+      ;; 	(ignore-errors
+      ;; 	  (enriched-decode (point-min) (point-max))))
       (mm-handle-set-undisplayer
        handle
        `(lambda ()
diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el
index a8f0d3891a8..bdfd5d68e32 100644
--- a/lisp/textmodes/enriched.el
+++ b/lisp/textmodes/enriched.el
@@ -117,7 +117,12 @@ expression, which is evaluated to get the string to insert.")
 		   (full        "flushboth")
 		   (center      "center"))
     (PARAMETER     (t           "param")) ; Argument of preceding annotation
+    ;; The following are not part of the standard:
+    (FUNCTION      (enriched-decode-foreground "x-color")
+		   (enriched-decode-background "x-bg-color")
+		   (enriched-decode-display-prop "x-display"))
     (read-only     (t           "x-read-only"))
+    (display	   (nil		enriched-handle-display-prop))
     (unknown       (nil         format-annotate-value))
 ;   (font-size     (2           "bigger")       ; unimplemented
 ;		   (-2          "smaller"))
@@ -472,5 +477,35 @@ Return value is \(begin end name positive-p), or nil if none was found."
     (message "Warning: no color specified for <x-bg-color>")
     nil))
 
+;;; Handling the `display' property.
+
+
+(defun enriched-handle-display-prop (old new)
+  "Return a list of annotations for a change in the `display' property.
+OLD is the old value of the property, NEW is the new value.  Value
+is a list `(CLOSE OPEN)', where CLOSE is a list of annotations to
+close and OPEN a list of annotations to open.  Each of these lists
+has the form `(ANNOTATION PARAM ...)'."
+  (let ((annotation "x-display")
+	(param (prin1-to-string (or old new))))
+    (if (null old)
+        (cons nil (list (list annotation param)))
+      (cons (list (list annotation param)) nil))))
+
+(defun enriched-decode-display-prop (start end &optional param)
+  "Decode a `display' property for text between START and END.
+PARAM is a `<param>' found for the property.
+Value is a list `(START END SYMBOL VALUE)' with START and END denoting
+the range of text to assign text property SYMBOL with value VALUE."
+  (let ((prop (when (stringp param)
+		(condition-case ()
+		    (car (read-from-string param))
+		  (error nil)))))
+    (unless prop
+      (message "Warning: invalid <x-display> parameter %s" param))
+    ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+    ;; forms in display properties stored within enriched text.
+    ;; (list start end 'display prop)))
+    (list start end)))
 
 ;;; enriched.el ends here
diff --git a/msdos/sed2v2.inp b/msdos/sed2v2.inp
index d490017c5e1..b4a04d3f4db 100644
--- a/msdos/sed2v2.inp
+++ b/msdos/sed2v2.inp
@@ -66,7 +66,7 @@
 /^#undef PACKAGE_TARNAME/s/^.*$/#define PACKAGE_TARNAME ""/
 /^#undef PACKAGE_VERSION/s/^.*$/#define PACKAGE_VERSION VERSION/
 /^#undef PENDING_OUTPUT_COUNT/s/^.*$/#define PENDING_OUTPUT_COUNT(FILE) ((FILE)->_ptr - (FILE)->_base)/
-/^#undef VERSION/s/^.*$/#define VERSION "25.2.50"/
+/^#undef VERSION/s/^.*$/#define VERSION "25.3"/
 /^#undef SYSTEM_TYPE/s/^.*$/#define SYSTEM_TYPE "ms-dos"/
 /^#undef HAVE_DECL_GETENV/s/^.*$/#define HAVE_DECL_GETENV 1/
 /^#undef SYS_SIGLIST_DECLARED/s/^.*$/#define SYS_SIGLIST_DECLARED 1/
diff --git a/nt/README.W32 b/nt/README.W32
index 74caf3978e5..1f97ea8dffd 100644
--- a/nt/README.W32
+++ b/nt/README.W32
@@ -1,7 +1,7 @@
 Copyright (C) 2001-2017 Free Software Foundation, Inc.
 See the end of the file for license conditions.
 
-		Emacs version 25.2.50 for MS-Windows
+		Emacs version 25.3 for MS-Windows
 
   This README file describes how to set up and run a precompiled
   distribution of the latest version of GNU Emacs for MS-Windows.  You