Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Is CVE-2024-30203 bogus? (Emacs)

Related Vulnerabilities: CVE-2024-30203  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Is CVE-2024-30203 bogus? (Emacs)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Max Nikulin &lt;manikulin () gmail com&gt;

Date: Thu, 11 Apr 2024 17:38:48 +0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 11/04/2024 16:13, Sean Whitton wrote:
On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:

Note that the CVE assignment (by MITRE as assigning CNA) for
CVE-2024-30203 is explicitly as follows:

In Emacs before 29.3, Gnus treats inline MIME contents as trusted.

https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&amp;id=937b9042ad7426acdcca33e3d931d8f495bdd804

This commit doesn't fix anything at all, just fyi.

This Emacs commit

    2024-02-20 12:44:30 +0300 Ihor Radchenko:
    * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents 
untrusted.)

is not enough to fix the issue. More changes are required to make the
fix effective, namely

ccc188fcf98 2024-02-20 12:43:51 +0300 Ihor Radchenko: * lisp/files.el 
(untrusted-content): New variable.
6f9ea396f49 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: 
Add protection when `untrusted-content' is non-nil

When external Org mode is loaded, that version should contain

https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=03635a335
2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add 
protection when `untrusted-content' is non-nil

besides Emacs commits ccc188fcf98 and 937b9042ad7

Emacs commit 6f9ea396f49 (fix of built-in Org mode) is currently
associated with CVE-2024-30203, however Org mode commit 03635a335
is not.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)

Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)

Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)

Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)

Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)

Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)

Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started