oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is CVE-2024-30203 bogus? (Emacs)

From: Max Nikulin <manikulin () gmail com>
Date: Thu, 11 Apr 2024 17:38:48 +0700
On 11/04/2024 16:13, Sean Whitton wrote:

On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:


Note that the CVE assignment (by MITRE as assigning CNA) for
CVE-2024-30203 is explicitly as follows:


In Emacs before 29.3, Gnus treats inline MIME contents as trusted.


https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804


This commit doesn't fix anything at all, just fyi.


This Emacs commit

    2024-02-20 12:44:30 +0300 Ihor Radchenko:
* lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.) 

is not enough to fix the issue. More changes are required to make the
fix effective, namely
ccc188fcf98 2024-02-20 12:43:51 +0300 Ihor Radchenko: * lisp/files.el (untrusted-content): New variable. 6f9ea396f49 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add protection when `untrusted-content' is non-nil 


When external Org mode is loaded, that version should contain

https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=03635a335
2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add protection when `untrusted-content' is non-nil 

besides Emacs commits ccc188fcf98 and 937b9042ad7

Emacs commit 6f9ea396f49 (fix of built-in Org mode) is currently
associated with CVE-2024-30203, however Org mode commit 03635a335
is not.
Previous By Date Next
Previous By Thread Next

Current thread: