oss-sec mailing list archives
Is CVE-2024-30203 bogus? (Emacs)
From: Sean Whitton <spwhitton () spwhitton name>
Date: Mon, 08 Apr 2024 15:05:21 +0800
Hello Ihor, The description for CVE-2024-30203 is In Emacs before 29.3, Gnus treats inline MIME contents as trusted. and for CVE-2024-30204 is In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments. but I think these commits * ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el (untrusted-content): New variable. * 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted. * 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add protection when `untrusted-content' is non-nil fix only a single problem, right? But we have two CVEs. It seems to me that either - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs assigner of exactly what the vulnerabilities were - CVE-2024-30203 is legitimate, and we have only fixed one possible way in which Gnus treats inline MIME content as trusted. I think it's the first one -- can you confirm? Thanks. -- Sean Whitton
Attachment:
signature.asc
Description:
Current thread:
- Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)