Hi,
On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote:
Note that the CVE assignment (by MITRE as assigning CNA) for
CVE-2024-30203 is explicitly as follows:
associated with:
gitsavannahgnuorg/cgit/emacsgit/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
If you think the CVE assignment is not valid ...
Hello Ihor,
The description for CVE-2024-30203 is
In Emacs before 293, Gnus treats inline MIME contents as trusted
and for CVE-2024-30204 is
In Emacs before 293, LaTeX preview is enabled by default for e-mail
attachments
but I think these commits
* ccc188fcf98: Ihor Radchenko 2024-02-20 * lisp/filesel
(untrusted-content): ...
Hello,
On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:
This commit doesn't fix anything at all, just fyi
Okay, I'll do that, thanks
--
Sean Whitton ...
On 11/04/2024 16:13, Sean Whitton wrote:
This Emacs commit
2024-02-20 12:44:30 +0300 Ihor Radchenko:
is not enough to fix the issue More changes are required to make the
fix effective, namely
When external Org mode is loaded, that version should contain
gitsavannahgnuorg/cgit/emacs/org-modegit/commit/?id=03635a335
besid ...
Hello,
On Wed 10 Apr 2024 at 10:07pm +07, Max Nikulin wrote:
My understanding is that one CVE for the same vulnerability in multiple
code bases is normal
--
Sean Whitton ...
I'm not Ihor, but I cannot agree with you Those changes fixed two
problems, not one: both the fact that by default MIME attachments are
treated in a way that can execute arbitrary code, and the fact that
maliciously-constructed LaTeX attachment could exhaust all free space
on your disk ...
Hello,
On Mon 08 Apr 2024 at 06:44pm GMT, Ihor Radchenko wrote:
Right, it's a purely preliminary change, not fixing any holes in itself
Hmm, thank you, but let me ask a follow-up question: do you agree with
me that there is only one security flaw covered by these two CVEs, and
CVE-2024-30203 is the superfluous one?
--
Sean Whitton ...
On 10/04/2024 21:17, Salvatore Bonaccorso wrote:
[] ...
On 08/04/2024 18:38, Eli Zaretskii wrote:
and it is fixed by
This commit fully covers both scenarios:
- inline preview for attachments in Gnus,
- a text file (not necessary having org suffix) opened in Emacs directly ...
On Mon, Mar 25, 2024 at 11:12:56AM +0100, Salvatore Bonaccorso wrote:
CVEs are now assigned for the emacs and org-mode issues:
CVE-2024-30205:
- gitsavannahgnuorg/cgit/emacsgit/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877
- gitsavannahgnuorg/cgit/emacs/org-modegit/commit/?id=4255d5dcc0657915f90e4fba7 ...
Sean Whitton <spwhitton () spwhitton name> writes:
Yes, CVE-2024-30203 title is superfluous
And CVE-2024-30204 title is not accurate - it only applies to
certain attachments with specific (text/x-org) mime type
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <orgmodeorg/>
Support Org de ...
Sean Whitton <spwhitton () spwhitton name> writes:
Before Emacs 293, there was no concept of trusted or untrusted content
in Emacs We introduced it specifically to control whether we allow
running LaTeX on the contents of a given buffer (And even in Emacs
293, the concept of untrusted contents is not yet official) So, at least
the titl ...