Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Is CVE-2024-30203 bogus? (Emacs)

Related Vulnerabilities: CVE-2024-30203   CVE-2024-30204   CVE-2024-30202  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Is CVE-2024-30203 bogus? (Emacs)

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Max Nikulin &lt;manikulin () gmail com&gt;

Date: Mon, 8 Apr 2024 23:55:35 +0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 08/04/2024 18:38, Eli Zaretskii wrote:
From: Sean Whitton Date: Mon, 08 Apr 2024 15:05:21 +0800

- CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
   assigner of exactly what the vulnerabilities were

- CVE-2024-30203 is legitimate, and we have only fixed one possible way
   in which Gnus treats inline MIME content as trusted.

I think it's the first one -- can you confirm?

I'm not Ihor, but I cannot agree with you.  Those changes fixed two
problems, not one: both the fact that by default MIME attachments are
treated in a way that can execute arbitrary code, and the fact that
maliciously-constructed LaTeX attachment could exhaust all free space
on your disk.

Arbitrary code execution bug is neither CVE-2024-30203 nor 
CVE-2024-30204, it is

CVE-2024-30202 "In Emacs before 29.3, arbitrary Lisp code is evaluated 
as part of turning on Org mode. This affects Org Mode before 9.6.23."

and it is fixed by

- 
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&amp;id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb
- 
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9
2024-02-20 12:19:46 +0300 Ihor Radchenko: org-macro--set-templates: 
Prevent code evaluation

This commit fully covers both scenarios:
- inline preview for attachments in Gnus,
- a text file (not necessary having .org suffix) opened in Emacs directly.

I hope, rare users have Org mode or TeX engine configuration allowing 
execution of arbitrary shell commands during generation of LaTeX preview.

The commits mentioned by Sean suppress a kind of DoS (attempt to exhaust 
disk space or inodes allocated for /tmp) through LaTeX preview for email 
attachments. (There is no reasonable way to address the case when a 
malicious file is opened in Emacs.)

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)

Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)

Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started