<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Is CVE-2024-30203 bogus? (Emacs)
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Max Nikulin <manikulin () gmail com>
Date: Mon, 8 Apr 2024 23:55:35 +0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 08/04/2024 18:38, Eli Zaretskii wrote:
From: Sean Whitton Date: Mon, 08 Apr 2024 15:05:21 +0800
- CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
assigner of exactly what the vulnerabilities were
- CVE-2024-30203 is legitimate, and we have only fixed one possible way
in which Gnus treats inline MIME content as trusted.
I think it's the first one -- can you confirm?
I'm not Ihor, but I cannot agree with you. Those changes fixed two
problems, not one: both the fact that by default MIME attachments are
treated in a way that can execute arbitrary code, and the fact that
maliciously-constructed LaTeX attachment could exhaust all free space
on your disk.
Arbitrary code execution bug is neither CVE-2024-30203 nor
CVE-2024-30204, it is
CVE-2024-30202 "In Emacs before 29.3, arbitrary Lisp code is evaluated
as part of turning on Org mode. This affects Org Mode before 9.6.23."
and it is fixed by
-
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb
-
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9
2024-02-20 12:19:46 +0300 Ihor Radchenko: org-macro--set-templates:
Prevent code evaluation
This commit fully covers both scenarios:
- inline preview for attachments in Gnus,
- a text file (not necessary having .org suffix) opened in Emacs directly.
I hope, rare users have Org mode or TeX engine configuration allowing
execution of arbitrary shell commands during generation of LaTeX preview.
The commits mentioned by Sean suppress a kind of DoS (attempt to exhaust
disk space or inodes allocated for /tmp) through LaTeX preview for email
attachments. (There is no reasonable way to address the case when a
malicious file is opened in Emacs.)
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->