<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Is CVE-2024-30203 bogus? (Emacs)
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Max Nikulin <manikulin () gmail com>
Date: Thu, 11 Apr 2024 17:38:48 +0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 11/04/2024 16:13, Sean Whitton wrote:
On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:
Note that the CVE assignment (by MITRE as assigning CNA) for
CVE-2024-30203 is explicitly as follows:
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
This commit doesn't fix anything at all, just fyi.
This Emacs commit
2024-02-20 12:44:30 +0300 Ihor Radchenko:
* lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
untrusted.)
is not enough to fix the issue. More changes are required to make the
fix effective, namely
ccc188fcf98 2024-02-20 12:43:51 +0300 Ihor Radchenko: * lisp/files.el
(untrusted-content): New variable.
6f9ea396f49 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview:
Add protection when `untrusted-content' is non-nil
When external Org mode is loaded, that version should contain
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=03635a335
2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add
protection when `untrusted-content' is non-nil
besides Emacs commits ccc188fcf98 and 937b9042ad7
Emacs commit 6f9ea396f49 (fix of built-in Org mode) is currently
associated with CVE-2024-30203, however Org mode commit 03635a335
is not.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)
Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->