'Significant security hole' in emacs from repository

I noticed on the gnu.org website (https://www.gnu.org/software/emacs/) that version 25.3 was an “emergency release to fix a security vulnerability in emacs”. From what I can see, the repository still has version 25.2.2. There is apparently a workaround which I have implemented, but I am confused about why it wasn’t updated. It seems that many people could still be using this version without the fix, as I was for a while.


I noticed that Debian buster has moved to 26.1, and, eventually, this is from where the contents of green are supposed to come. Unfortunately, I have seen significant lag in some package versions and have never found out why. (My ‘dependency guess’ failed me over the holidays.)

It sounds like the update process is being worked, but I do not know when the Purism folks will reach a conclusion.

For anyone concerned, this fixes the security issue and is included in the same document that describes the vulnerability.

This vulnerability was introduced in Emacs 21.1.  To work around that
in Emacs versions before 25.3, append the following to your ~/.emacs
init file:

  (eval-after-load "enriched"
    '(defun enriched-decode-display-prop (start end &optional param)
       (list start end)))