Port alternate signal stack to upcoming glibc 2.34

* src/sysdep.c (sigsegv_stack): Increase size to 64 KiB and align
it to max_align_t.  This copies from Gnulib’s c-stack.c, and works
around a portability bug in draft glibc 2.34, which no longer
defines SIGSTKSZ when _GNU_SOURCE is defined.

(cherry picked from commit f97e07ea80)

ChangeLog.2

@@ -1,3 +1,17 @@
+2017-09-11  Eli Zaretskii  <eliz@gnu.org>
+
+	* etc/NEWS: Document the vulnerability and its resolution.
+	Include a workaround.  Suggested by Charles A. Roelli
+	<charles@aurox.ch>.
+
+	* lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of
+	"enriched" and "richtext" MIME objects.  Suggested by Lars
+	Ingebrigtsen <larsi@gnus.org>.
+
+	* lisp/textmodes/enriched.el (enriched-decode-display-prop):
+	Don't produce 'display' properties.  (Bug#28350)
+
+
 2017-04-20  Nicolas Petton  <nicolas@petton.fr>
 
 	* Version 25.2 released.

README

@@ -2,7 +2,7 @@ Copyright (C) 2001-2017 Free Software Foundation, Inc.
 See the end of the file for license conditions.
 
 
-This directory tree holds version 25.2.50 of GNU Emacs, the extensible,
+This directory tree holds version 25.3.50 of GNU Emacs, the extensible,
 customizable, self-documenting real-time display editor.
 
 The file INSTALL in this directory says how to build and install GNU

configure.ac

@@ -23,7 +23,7 @@ dnl  along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.
 
 AC_PREREQ(2.65)
 dnl Note this is parsed by (at least) make-dist and lisp/cedet/ede/emacs.el.
-AC_INIT(GNU Emacs, 25.2.50, bug-gnu-emacs@gnu.org)
+AC_INIT(GNU Emacs, 25.3.50, bug-gnu-emacs@gnu.org)
 
 dnl Set emacs_config_options to the options of 'configure', quoted for the shell,
 dnl and then quoted again for a C string.  Separate options with spaces.
@@ -953,6 +953,8 @@ AS_IF([test "$gl_gcc_warnings" != yes],
     gl_WARN_ADD([$w])
   done
   gl_WARN_ADD([-Wredundant-decls])     # Prefer this, as we don't use Bison.
+  gl_WARN_ADD([-Wno-bool-operation])   # Emacs 26 is clean, 25 is not.
+  gl_WARN_ADD([-Wno-implicit-fallthrough]) # Emacs 26 is clean, 25 is not.
   gl_WARN_ADD([-Wno-missing-field-initializers]) # We need this one
   gl_WARN_ADD([-Wno-sign-compare])     # Too many warnings for now
   gl_WARN_ADD([-Wno-type-limits])      # Too many warnings for now

etc/HISTORY

@@ -211,6 +211,8 @@ GNU Emacs 25.1 (2016-09-16) emacs-25.1
 
 GNU Emacs 25.2 (2017-04-20) emacs-25.2
 
+GNU Emacs 25.3 (2017-09-11) emacs-25.3
+
 
 ----------------------------------------------------------------------
 This file is part of GNU Emacs.

etc/NEWS

@@ -15,6 +15,35 @@ and NEWS.1-17 for changes in older Emacs versions.
 You can narrow news to a specific version by calling 'view-emacs-news'
 with a prefix argument or by typing C-u C-h C-n.
 
+
+* Changes in Emacs 25.4
+
+
+* Changes in Emacs 25.3
+
+This is an emergency release to fix a security vulnerability in Emacs.
+
+** Security vulnerability related to Enriched Text mode is removed.
+
+*** Enriched Text mode has its support for decoding 'x-display' disabled.
+This feature allows saving 'display' properties as part of text.
+Emacs 'display' properties support evaluation of arbitrary Lisp forms
+as part of instantiating the property, so decoding 'x-display' is
+vulnerable to executing arbitrary malicious Lisp code included in the
+text (e.g., sent as part of an email message).
+
+This vulnerability was introduced in Emacs 21.1.  To work around that
+in Emacs versions before 25.3, append the following to your ~/.emacs
+init file:
+
+  (eval-after-load "enriched"
+    '(defun enriched-decode-display-prop (start end &optional param)
+       (list start end)))
+
+*** Gnus no longer supports "richtext" and "enriched" inline MIME objects.
+This support was disabled to avoid evaluation of arbitrary Lisp code
+contained in email messages and news articles.
+
 
 * Changes in Emacs 25.2
 

lisp/gnus/mm-view.el

@@ -383,10 +383,12 @@
 	(goto-char (point-max))))
     (save-restriction
       (narrow-to-region b (point))
-      (when (member type '("enriched" "richtext"))
-        (set-text-properties (point-min) (point-max) nil)
-	(ignore-errors
-	  (enriched-decode (point-min) (point-max))))
+      ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+      ;; forms in display properties supported by enriched.el.
+      ;; (when (member type '("enriched" "richtext"))
+      ;;   (set-text-properties (point-min) (point-max) nil)
+      ;; 	(ignore-errors
+      ;; 	  (enriched-decode (point-min) (point-max))))
       (mm-handle-set-undisplayer
        handle
        `(lambda ()

lisp/net/tls.el

@@ -106,7 +106,7 @@ successful negotiation."
 	  (repeat :inline t :tag "Other" (string)))
     (list :tag "List of commands"
 	  (repeat :tag "Command" (string))))
-  :version "25.3"                       ; remove s_client
+  :version "25.4"                       ; remove s_client
   :group 'tls)
 
 (defcustom tls-process-connection-type nil

lisp/textmodes/enriched.el

@@ -503,6 +503,9 @@ the range of text to assign text property SYMBOL with value VALUE."
 		  (error nil)))))
     (unless prop
       (message "Warning: invalid <x-display> parameter %s" param))
-    (list start end 'display prop)))
+    ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+    ;; forms in display properties stored within enriched text.
+    ;; (list start end 'display prop)))
+    (list start end)))
 
 ;;; enriched.el ends here

msdos/sed2v2.inp

@@ -66,7 +66,7 @@
 /^#undef PACKAGE_TARNAME/s/^.*$/#define PACKAGE_TARNAME ""/
 /^#undef PACKAGE_VERSION/s/^.*$/#define PACKAGE_VERSION VERSION/
 /^#undef PENDING_OUTPUT_COUNT/s/^.*$/#define PENDING_OUTPUT_COUNT(FILE) ((FILE)->_ptr - (FILE)->_base)/
-/^#undef VERSION/s/^.*$/#define VERSION "25.2.50"/
+/^#undef VERSION/s/^.*$/#define VERSION "25.3.50"/
 /^#undef SYSTEM_TYPE/s/^.*$/#define SYSTEM_TYPE "ms-dos"/
 /^#undef HAVE_DECL_GETENV/s/^.*$/#define HAVE_DECL_GETENV 1/
 /^#undef SYS_SIGLIST_DECLARED/s/^.*$/#define SYS_SIGLIST_DECLARED 1/

nt/README.W32

@@ -1,7 +1,7 @@
 Copyright (C) 2001-2017 Free Software Foundation, Inc.
 See the end of the file for license conditions.
 
-		Emacs version 25.2.50 for MS-Windows
+		Emacs version 25.3.50 for MS-Windows
 
   This README file describes how to set up and run a precompiled
   distribution of the latest version of GNU Emacs for MS-Windows.  You

src/character.h

@@ -590,6 +590,7 @@ sanitize_char_width (EMACS_INT width)
    columns C will occupy on the screen when displayed in the current
    buffer.  */
 
+#undef CHAR_WIDTH /* in case system headers follow ISO/IEC TS 18661-1:2014 */
 #define CHAR_WIDTH(c)		\
   (ASCII_CHAR_P (c)		\
    ? ASCII_CHAR_WIDTH (c)	\

src/search.c

@@ -1833,6 +1833,7 @@ boyer_moore (EMACS_INT n, unsigned char *base_pat,
     {
       /* Setup translate_prev_byte1/2/3/4 from CHAR_BASE.  Only a
 	 byte following them are the target of translation.  */
+      eassume (0x80 <= char_base && char_base <= MAX_CHAR);
       unsigned char str[MAX_MULTIBYTE_LENGTH];
       int cblen = CHAR_STRING (char_base, str);
 

src/sysdep.c

@@ -1624,7 +1624,15 @@ handle_arith_signal (int sig)
 
 /* Alternate stack used by SIGSEGV handler below.  */
 
-static unsigned char sigsegv_stack[SIGSTKSZ];
+/* Storage for the alternate signal stack.
+   64 KiB is not too large for Emacs, and is large enough
+   for all known platforms.  Smaller sizes may run into trouble.
+   For example, libsigsegv 2.6 through 2.8 have a bug where some
+   architectures use more than the Linux default of an 8 KiB alternate
+   stack when deciding if a fault was caused by stack overflow.  */
+static max_align_t sigsegv_stack[(64 * 1024
+				  + sizeof (max_align_t) - 1)
+				 / sizeof (max_align_t)];
 
 
 /* Return true if SIGINFO indicates a stack overflow.  */

src/xterm.c

@@ -1911,6 +1911,7 @@ x_draw_glyphless_glyph_string_foreground (struct glyph_string *s)
 	}
       else if (glyph->u.glyphless.method == GLYPHLESS_DISPLAY_HEX_CODE)
 	{
+	  eassume (glyph->u.glyphless.ch <= MAX_CHAR);
 	  sprintf (buf, "%0*X",
 		   glyph->u.glyphless.ch < 0x10000 ? 4 : 6,
 		   glyph->u.glyphless.ch + 0u);