Re: Is CVE-2024-30203 bogus? (Emacs)

[Eli Zaretskii <eliz () gnu org>]

> From: Sean Whitton <spwhitton () spwhitton name>
> Cc: emacs () packages debian org, emacs-devel () gnu org,
>  oss-security () lists openwall com
> Date: Mon, 08 Apr 2024 15:05:21 +0800
>
>
> The description for CVE-2024-30203 is
>
>     In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>
> and for CVE-2024-30204 is
>
>     In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
>     attachments.
>
> but I think these commits
>
> * ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el
>   (untrusted-content): New variable.
> * 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el
>   (mm-display-inline-fontify): Mark contents untrusted.
> * 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add
>   protection when `untrusted-content' is non-nil
>
> fix only a single problem, right?  But we have two CVEs.
>
> It seems to me that either
>
> - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
>   assigner of exactly what the vulnerabilities were
>
> - CVE-2024-30203 is legitimate, and we have only fixed one possible way
>   in which Gnus treats inline MIME content as trusted.
>
> I think it's the first one -- can you confirm?

I'm not Ihor, but I cannot agree with you.  Those changes fixed two
problems, not one: both the fact that by default MIME attachments are
treated in a way that can execute arbitrary code, and the fact that
maliciously-constructed LaTeX attachment could exhaust all free space
on your disk.