oss-sec mailing list archives
Re: Is CVE-2024-30203 bogus? (Emacs)
From: Max Nikulin <manikulin () gmail com>
Date: Thu, 11 Apr 2024 17:38:48 +0700
On 11/04/2024 16:13, Sean Whitton wrote:
On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:Note that the CVE assignment (by MITRE as assigning CNA) for CVE-2024-30203 is explicitly as follows:In Emacs before 29.3, Gnus treats inline MIME contents as trusted.https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804This commit doesn't fix anything at all, just fyi.
This Emacs commit 2024-02-20 12:44:30 +0300 Ihor Radchenko:* lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.)
is not enough to fix the issue. More changes are required to make the fix effective, namelyccc188fcf98 2024-02-20 12:43:51 +0300 Ihor Radchenko: * lisp/files.el (untrusted-content): New variable. 6f9ea396f49 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add protection when `untrusted-content' is non-nil
When external Org mode is loaded, that version should contain https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=03635a3352024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add protection when `untrusted-content' is non-nil
besides Emacs commits ccc188fcf98 and 937b9042ad7 Emacs commit 6f9ea396f49 (fix of built-in Org mode) is currently associated with CVE-2024-30203, however Org mode commit 03635a335 is not.
Current thread:
- Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)