Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Is CVE-2024-30203 bogus? (Emacs)

Related Vulnerabilities: CVE-2024-30203   CVE-2024-30204  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Is CVE-2024-30203 bogus? (Emacs)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Eli Zaretskii &lt;eliz () gnu org&gt;

Date: Mon, 08 Apr 2024 14:38:35 +0300

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
From: Sean Whitton &lt;spwhitton () spwhitton name&gt;
Cc: emacs () packages debian org, emacs-devel () gnu org,
 oss-security () lists openwall com
Date: Mon, 08 Apr 2024 15:05:21 +0800

The description for CVE-2024-30203 is

    In Emacs before 29.3, Gnus treats inline MIME contents as trusted.

and for CVE-2024-30204 is

    In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
    attachments.

but I think these commits

* ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el
  (untrusted-content): New variable.
* 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el
  (mm-display-inline-fontify): Mark contents untrusted.
* 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add
  protection when `untrusted-content' is non-nil

fix only a single problem, right?  But we have two CVEs.

It seems to me that either

- CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
  assigner of exactly what the vulnerabilities were

- CVE-2024-30203 is legitimate, and we have only fixed one possible way
  in which Gnus treats inline MIME content as trusted.

I think it's the first one -- can you confirm?

I'm not Ihor, but I cannot agree with you.  Those changes fixed two
problems, not one: both the fact that by default MIME attachments are
treated in a way that can execute arbitrary code, and the fact that
maliciously-constructed LaTeX attachment could exhaust all free space
on your disk.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)

Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started