oss-sec mailing list archives
Is CVE-2024-30203 bogus? (Emacs)
From: Sean Whitton <spwhitton () spwhitton name>
Date: Mon, 08 Apr 2024 15:05:21 +0800
Hello Ihor,
The description for CVE-2024-30203 is
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
and for CVE-2024-30204 is
In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
attachments.
but I think these commits
* ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el
(untrusted-content): New variable.
* 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el
(mm-display-inline-fontify): Mark contents untrusted.
* 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add
protection when `untrusted-content' is non-nil
fix only a single problem, right? But we have two CVEs.
It seems to me that either
- CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
assigner of exactly what the vulnerabilities were
- CVE-2024-30203 is legitimate, and we have only fixed one possible way
in which Gnus treats inline MIME content as trusted.
I think it's the first one -- can you confirm?
Thanks.
--
Sean Whitton
Attachment:
signature.asc
Description:
Current thread:
- Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)