
Emacs 25.3 released - untilted
https://lists.gnu.org/archive/html/emacs-devel/2017-09/msg00211.html
======
untilted
> _This is an emergency release to fix a security vulnerability in Emacs._

> _Enriched Text mode has its support for decoding 'x-display' disabled. This
> feature allows saving 'display' properties as part of text. Emacs 'display'
> properties support evaluation of arbitrary Lisp forms as part of
> instantiating the property, so decoding 'x-display' is vulnerable to
> executing arbitrary malicious Lisp code included in the text (e.g., sent as
> part of an email message)._

> _This vulnerability was introduced in Emacs 19.29. To work around that in
> Emacs versions before 25.3, append the following to your ~ /.emacs init
> file:_
    
    
      (eval-after-load "enriched"
        '(defun enriched-decode-display-prop (start end &optional param)
           (list start end)))
    

> _Gnus no longer supports "richtext" and "enriched" inline MIME objects. This
> support was disabled to avoid evaluation of arbitrary Lisp code contained in
> email messages and news articles._

