Merge Emacs 25.3 fixes

The security patches released for Emacs 25.3 were less drastic
than what we had immediately put into master.  Adjust master to
match 25.3 (Bug#28350).
* lisp/textmodes/enriched.el (enriched-translations):
Re-enable FUNCTION and display translations that are safe.
(enriched-handle-display-prop): Bring back.
(enriched-decode-display-prop): Bring back, but disable
the unsafe part.

ChangeLog.2

@@ -1,3 +1,17 @@
+2017-09-11  Eli Zaretskii  <eliz@gnu.org>
+
+	* etc/NEWS: Document the vulnerability and its resolution.
+	Include a workaround.  Suggested by Charles A. Roelli
+	<charles@aurox.ch>.
+
+	* lisp/gnus/mm-view.el (mm-inline-text): Disable decoding of
+	"enriched" and "richtext" MIME objects.  Suggested by Lars
+	Ingebrigtsen <larsi@gnus.org>.
+
+	* lisp/textmodes/enriched.el (enriched-decode-display-prop):
+	Don't produce 'display' properties.  (Bug#28350)
+
+
 2017-04-20  Nicolas Petton  <nicolas@petton.fr>
 
 	* Version 25.2 released.

etc/HISTORY

@@ -211,6 +211,8 @@ GNU Emacs 25.1 (2016-09-16) emacs-25.1
 
 GNU Emacs 25.2 (2017-04-20) emacs-25.2
 
+GNU Emacs 25.3 (2017-09-11) emacs-25.3
+
 
 ----------------------------------------------------------------------
 This file is part of GNU Emacs.

lisp/gnus/mm-view.el

@@ -362,6 +362,12 @@
 	(goto-char (point-max))))
     (save-restriction
       (narrow-to-region b (point))
+      ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+      ;; forms in display properties supported by enriched.el.
+      ;; (when (member type '("enriched" "richtext"))
+      ;;   (set-text-properties (point-min) (point-max) nil)
+      ;; 	(ignore-errors
+      ;; 	  (enriched-decode (point-min) (point-max))))
       (mm-handle-set-undisplayer
        handle
        `(lambda ()

lisp/textmodes/enriched.el

@@ -117,7 +117,12 @@ expression, which is evaluated to get the string to insert.")
 		   (full        "flushboth")
 		   (center      "center"))
     (PARAMETER     (t           "param")) ; Argument of preceding annotation
+    ;; The following are not part of the standard:
+    (FUNCTION      (enriched-decode-foreground "x-color")
+		   (enriched-decode-background "x-bg-color")
+		   (enriched-decode-display-prop "x-display"))
     (read-only     (t           "x-read-only"))
+    (display	   (nil		enriched-handle-display-prop))
     (unknown       (nil         format-annotate-value))
 ;   (font-size     (2           "bigger")       ; unimplemented
 ;		   (-2          "smaller"))
@@ -472,5 +477,35 @@ Return value is \(begin end name positive-p), or nil if none was found."
     (message "Warning: no color specified for <x-bg-color>")
     nil))
 
+;;; Handling the `display' property.
+
+
+(defun enriched-handle-display-prop (old new)
+  "Return a list of annotations for a change in the `display' property.
+OLD is the old value of the property, NEW is the new value.  Value
+is a list `(CLOSE OPEN)', where CLOSE is a list of annotations to
+close and OPEN a list of annotations to open.  Each of these lists
+has the form `(ANNOTATION PARAM ...)'."
+  (let ((annotation "x-display")
+	(param (prin1-to-string (or old new))))
+    (if (null old)
+        (cons nil (list (list annotation param)))
+      (cons (list (list annotation param)) nil))))
+
+(defun enriched-decode-display-prop (start end &optional param)
+  "Decode a `display' property for text between START and END.
+PARAM is a `<param>' found for the property.
+Value is a list `(START END SYMBOL VALUE)' with START and END denoting
+the range of text to assign text property SYMBOL with value VALUE."
+  (let ((prop (when (stringp param)
+		(condition-case ()
+		    (car (read-from-string param))
+		  (error nil)))))
+    (unless prop
+      (message "Warning: invalid <x-display> parameter %s" param))
+    ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
+    ;; forms in display properties stored within enriched text.
+    ;; (list start end 'display prop)))
+    (list start end)))
 
 ;;; enriched.el ends here