Re: Is CVE-2024-30203 bogus? (Emacs)

[Sean Whitton <spwhitton () spwhitton name>]

Hello,

On Mon 08 Apr 2024 at 06:44pm GMT, Ihor Radchenko wrote:

> Sean Whitton <spwhitton () spwhitton name> writes:
>
> > The description for CVE-2024-30203 is
> >
> >     In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>
> Before Emacs 29.3, there was no concept of trusted or untrusted content
> in Emacs. We introduced it specifically to control whether we allow
> running LaTeX on the contents of a given buffer. (And even in Emacs
> 29.3, the concept of untrusted contents is not yet official) So, at least
> the title is misleading.

Right, it's a purely preliminary change, not fixing any holes in itself.

> > and for CVE-2024-30204 is
> >
> >     In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
> >     attachments.
>
> This is closer to what was happening.
> Note that LaTeX preview itself was not a problem. The problem was that we
> executed actual latex program without user query with input taken from
> buffer text to generate the previews (using the default settings). LaTeX
> input can be specifically constructed to cause DOS when using LaTeX
> compiler, which is especially dangerous when the input is coming from
> emails.
>
> Also, only GNUS and MUA clients re-using gnus libs (at least, notmuch
> and mu4e) were affected. Not rmail, AFAIK.
>
> > ...
> > I think it's the first one -- can you confirm?
>
> I hope that the above clarified things.

Hmm, thank you, but let me ask a follow-up question: do you agree with
me that there is only one security flaw covered by these two CVEs, and
CVE-2024-30203 is the superfluous one?

-- 
Sean Whitton