@@ 0,0 1,85 @@
+This patch fixes a remote code execution vulnerability reported here:
+
+  https://bugs.gnu.org/28350
+  http://www.openwall.com/lists/oss-security/2017/09/11/1
+
+From 9ad0fcc54442a9a01d41be19880250783426db70 Mon Sep 17 00:00:00 2001
+From: Lars Ingebrigtsen <larsi@gnus.org>
+Date: Fri, 8 Sep 2017 20:23:31 -0700
+Subject: Remove unsafe enriched mode translations
+
+* lisp/gnus/mm-view.el (mm-inline-text):
+Do not worry about enriched or richtext type.
+* lisp/textmodes/enriched.el (enriched-translations):
+Remove translations for FUNCTION, display (Bug#28350).
+(enriched-handle-display-prop, enriched-decode-display-prop): Remove.
+---
+ lisp/gnus/mm-view.el       |  4 ----
+ lisp/textmodes/enriched.el | 32 --------------------------------
+ 2 files changed, 36 deletions(-)
+
+diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
+index e5859d0..77ad271 100644
+--- a/lisp/gnus/mm-view.el
++++ b/lisp/gnus/mm-view.el
+@@ -383,10 +383,6 @@
+ 	(goto-char (point-max))))
+     (save-restriction
+       (narrow-to-region b (point))
+-      (when (member type '("enriched" "richtext"))
+-        (set-text-properties (point-min) (point-max) nil)
+-	(ignore-errors
+-	  (enriched-decode (point-min) (point-max))))
+       (mm-handle-set-undisplayer
+        handle
+        `(lambda ()
+diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el
+index beb6c6d..a8f0d38 100644
+--- a/lisp/textmodes/enriched.el
++++ b/lisp/textmodes/enriched.el
+@@ -117,12 +117,7 @@ expression, which is evaluated to get the string to insert.")
+ 		   (full        "flushboth")
+ 		   (center      "center"))
+     (PARAMETER     (t           "param")) ; Argument of preceding annotation
+-    ;; The following are not part of the standard:
+-    (FUNCTION      (enriched-decode-foreground "x-color")
+-		   (enriched-decode-background "x-bg-color")
+-		   (enriched-decode-display-prop "x-display"))
+     (read-only     (t           "x-read-only"))
+-    (display	   (nil		enriched-handle-display-prop))
+     (unknown       (nil         format-annotate-value))
+ ;   (font-size     (2           "bigger")       ; unimplemented
+ ;		   (-2          "smaller"))
+@@ -477,32 +472,5 @@ Return value is \(begin end name positive-p), or nil if none was found."
+     (message "Warning: no color specified for <x-bg-color>")
+     nil))
+ 
+-;;; Handling the `display' property.
+-
+-
+-(defun enriched-handle-display-prop (old new)
+-  "Return a list of annotations for a change in the `display' property.
+-OLD is the old value of the property, NEW is the new value.  Value
+-is a list `(CLOSE OPEN)', where CLOSE is a list of annotations to
+-close and OPEN a list of annotations to open.  Each of these lists
+-has the form `(ANNOTATION PARAM ...)'."
+-  (let ((annotation "x-display")
+-	(param (prin1-to-string (or old new))))
+-    (if (null old)
+-        (cons nil (list (list annotation param)))
+-      (cons (list (list annotation param)) nil))))
+-
+-(defun enriched-decode-display-prop (start end &optional param)
+-  "Decode a `display' property for text between START and END.
+-PARAM is a `<param>' found for the property.
+-Value is a list `(START END SYMBOL VALUE)' with START and END denoting
+-the range of text to assign text property SYMBOL with value VALUE."
+-  (let ((prop (when (stringp param)
+-		(condition-case ()
+-		    (car (read-from-string param))
+-		  (error nil)))))
+-    (unless prop
+-      (message "Warning: invalid <x-display> parameter %s" param))
+-    (list start end 'display prop)))
+ 
+ ;;; enriched.el ends here