oss-sec mailing list archives
Re: Re: Is CVE-2024-30203 bogus? (Emacs)
From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 10 Apr 2024 16:17:15 +0200
Hi, On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote:
Sean Whitton <spwhitton () spwhitton name> writes:Hmm, thank you, but let me ask a follow-up question: do you agree with me that there is only one security flaw covered by these two CVEs, and CVE-2024-30203 is the superfluous one?Yes, CVE-2024-30203 title is superfluous. And CVE-2024-30204 title is not accurate - it only applies to certain attachments with specific (text/x-org) mime type.
Note that the CVE assignment (by MITRE as assigning CNA) for CVE-2024-30203 is explicitly as follows:
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
associated with: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804 If you think the CVE assignment is not valid, then you might ask for a REJECT on https://cveform.mitre.org/ . Regards, Salvatore
Current thread:
- Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)