oss-sec mailing list archives
Re: Is CVE-2024-30203 bogus? (Emacs)
From: Eli Zaretskii <eliz () gnu org>
Date: Mon, 08 Apr 2024 14:38:35 +0300
From: Sean Whitton <spwhitton () spwhitton name> Cc: emacs () packages debian org, emacs-devel () gnu org, oss-security () lists openwall com Date: Mon, 08 Apr 2024 15:05:21 +0800 The description for CVE-2024-30203 is In Emacs before 29.3, Gnus treats inline MIME contents as trusted. and for CVE-2024-30204 is In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments. but I think these commits * ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el (untrusted-content): New variable. * 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted. * 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add protection when `untrusted-content' is non-nil fix only a single problem, right? But we have two CVEs. It seems to me that either - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs assigner of exactly what the vulnerabilities were - CVE-2024-30203 is legitimate, and we have only fixed one possible way in which Gnus treats inline MIME content as trusted. I think it's the first one -- can you confirm?
I'm not Ihor, but I cannot agree with you. Those changes fixed two problems, not one: both the fact that by default MIME attachments are treated in a way that can execute arbitrary code, and the fact that maliciously-constructed LaTeX attachment could exhaust all free space on your disk.
Current thread:
- Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)