Re: Is CVE-2024-30203 bogus? (Emacs)

[Max Nikulin <manikulin () gmail com>]

On 08/04/2024 18:38, Eli Zaretskii wrote:
> > From: Sean Whitton Date: Mon, 08 Apr 2024 15:05:21 +0800
> >
> > - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
> >    assigner of exactly what the vulnerabilities were
> >
> > - CVE-2024-30203 is legitimate, and we have only fixed one possible way
> >    in which Gnus treats inline MIME content as trusted.
> >
> > I think it's the first one -- can you confirm?
>
> I'm not Ihor, but I cannot agree with you.  Those changes fixed two
> problems, not one: both the fact that by default MIME attachments are
> treated in a way that can execute arbitrary code, and the fact that
> maliciously-constructed LaTeX attachment could exhaust all free space
> on your disk.

Arbitrary code execution bug is neither CVE-2024-30203 nor 
CVE-2024-30204, it is

CVE-2024-30202 "In Emacs before 29.3, arbitrary Lisp code is evaluated 
as part of turning on Org mode. This affects Org Mode before 9.6.23."

and it is fixed by

- 
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb
- 
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9
2024-02-20 12:19:46 +0300 Ihor Radchenko: org-macro--set-templates: 
Prevent code evaluation

This commit fully covers both scenarios:
- inline preview for attachments in Gnus,
- a text file (not necessary having .org suffix) opened in Emacs directly.

I hope, rare users have Org mode or TeX engine configuration allowing 
execution of arbitrary shell commands during generation of LaTeX preview.

The commits mentioned by Sean suppress a kind of DoS (attempt to exhaust 
disk space or inodes allocated for /tmp) through LaTeX preview for email 
attachments. (There is no reasonable way to address the case when a 
malicious file is opened in Emacs.)