<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Is CVE-2024-30203 bogus? (Emacs)
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Eli Zaretskii <eliz () gnu org>
Date: Mon, 08 Apr 2024 14:38:35 +0300
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
From: Sean Whitton <spwhitton () spwhitton name>
Cc: emacs () packages debian org, emacs-devel () gnu org,
oss-security () lists openwall com
Date: Mon, 08 Apr 2024 15:05:21 +0800
The description for CVE-2024-30203 is
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
and for CVE-2024-30204 is
In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
attachments.
but I think these commits
* ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el
(untrusted-content): New variable.
* 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el
(mm-display-inline-fontify): Mark contents untrusted.
* 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add
protection when `untrusted-content' is non-nil
fix only a single problem, right? But we have two CVEs.
It seems to me that either
- CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
assigner of exactly what the vulnerabilities were
- CVE-2024-30203 is legitimate, and we have only fixed one possible way
in which Gnus treats inline MIME content as trusted.
I think it's the first one -- can you confirm?
I'm not Ihor, but I cannot agree with you. Those changes fixed two
problems, not one: both the fact that by default MIME attachments are
treated in a way that can execute arbitrary code, and the fact that
maliciously-constructed LaTeX attachment could exhaust all free space
on your disk.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->