CVE-2024-30203

Hi, On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote: Note that the CVE assignment (by MITRE as assigning CNA) for CVE-2024-30203 is explicitly as follows: associated with: gitsavannahgnuorg/cgit/emacsgit/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804 If you think the CVE assignment is not valid ...

Hello Ihor, The description for CVE-2024-30203 is In Emacs before 293, Gnus treats inline MIME contents as trusted and for CVE-2024-30204 is In Emacs before 293, LaTeX preview is enabled by default for e-mail attachments but I think these commits * ccc188fcf98: Ihor Radchenko 2024-02-20 * lisp/filesel (untrusted-content): ...

Hello, On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote: This commit doesn't fix anything at all, just fyi Okay, I'll do that, thanks -- Sean Whitton ...

On 11/04/2024 16:13, Sean Whitton wrote: This Emacs commit 2024-02-20 12:44:30 +0300 Ihor Radchenko: is not enough to fix the issue More changes are required to make the fix effective, namely When external Org mode is loaded, that version should contain gitsavannahgnuorg/cgit/emacs/org-modegit/commit/?id=03635a335 besid ...

Hello, On Wed 10 Apr 2024 at 10:07pm +07, Max Nikulin wrote: My understanding is that one CVE for the same vulnerability in multiple code bases is normal -- Sean Whitton ...

I'm not Ihor, but I cannot agree with you Those changes fixed two problems, not one: both the fact that by default MIME attachments are treated in a way that can execute arbitrary code, and the fact that maliciously-constructed LaTeX attachment could exhaust all free space on your disk ...

Hello, On Mon 08 Apr 2024 at 06:44pm GMT, Ihor Radchenko wrote: Right, it's a purely preliminary change, not fixing any holes in itself Hmm, thank you, but let me ask a follow-up question: do you agree with me that there is only one security flaw covered by these two CVEs, and CVE-2024-30203 is the superfluous one? -- Sean Whitton ...

On 10/04/2024 21:17, Salvatore Bonaccorso wrote: [] ...

On 08/04/2024 18:38, Eli Zaretskii wrote: and it is fixed by This commit fully covers both scenarios: - inline preview for attachments in Gnus, - a text file (not necessary having org suffix) opened in Emacs directly ...

On Mon, Mar 25, 2024 at 11:12:56AM +0100, Salvatore Bonaccorso wrote: CVEs are now assigned for the emacs and org-mode issues: CVE-2024-30205: - gitsavannahgnuorg/cgit/emacsgit/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877 - gitsavannahgnuorg/cgit/emacs/org-modegit/commit/?id=4255d5dcc0657915f90e4fba7 ...

Sean Whitton <spwhitton () spwhitton name> writes: Yes, CVE-2024-30203 title is superfluous And CVE-2024-30204 title is not accurate - it only applies to certain attachments with specific (text/x-org) mime type -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <orgmodeorg/> Support Org de ...

Sean Whitton <spwhitton () spwhitton name> writes: Before Emacs 293, there was no concept of trusted or untrusted content in Emacs We introduced it specifically to control whether we allow running LaTeX on the contents of a given buffer (And even in Emacs 293, the concept of untrusted contents is not yet official) So, at least the titl ...