[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is CVE-2024-30203 bogus?
|
From: |
Eli Zaretskii |
|
Subject: |
Re: Is CVE-2024-30203 bogus? |
|
Date: |
Mon, 08 Apr 2024 14:38:35 +0300 |
> From: Sean Whitton <spwhitton@spwhitton.name>
> Cc: emacs@packages.debian.org, emacs-devel@gnu.org,
> oss-security@lists.openwall.com
> Date: Mon, 08 Apr 2024 15:05:21 +0800
>
>
> The description for CVE-2024-30203 is
>
> In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>
> and for CVE-2024-30204 is
>
> In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
> attachments.
>
> but I think these commits
>
> * ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el
> (untrusted-content): New variable.
> * 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el
> (mm-display-inline-fontify): Mark contents untrusted.
> * 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add
> protection when `untrusted-content' is non-nil
>
> fix only a single problem, right? But we have two CVEs.
>
> It seems to me that either
>
> - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
> assigner of exactly what the vulnerabilities were
>
> - CVE-2024-30203 is legitimate, and we have only fixed one possible way
> in which Gnus treats inline MIME content as trusted.
>
> I think it's the first one -- can you confirm?
I'm not Ihor, but I cannot agree with you. Those changes fixed two
problems, not one: both the fact that by default MIME attachments are
treated in a way that can execute arbitrary code, and the fact that
maliciously-constructed LaTeX attachment could exhaust all free space
on your disk.