Hello Ihor,
The description for CVE-2024-30203 is
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
and for CVE-2024-30204 is
In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
attachments.
but I think these commits
* ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el
(untrusted-content): New variable.
* 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el
(mm-display-inline-fontify): Mark contents untrusted.
* 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add
protection when `untrusted-content' is non-nil
fix only a single problem, right? But we have two CVEs.
It seems to me that either
- CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
assigner of exactly what the vulnerabilities were
- CVE-2024-30203 is legitimate, and we have only fixed one possible way
in which Gnus treats inline MIME content as trusted.
I think it's the first one -- can you confirm?
Thanks.
--
Sean Whitton