unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Is CVE-2024-30203 bogus?
@ 2024-04-08  7:05 Sean Whitton
  2024-04-08 11:38 ` Eli Zaretskii
  2024-04-08 18:44 ` Ihor Radchenko
  0 siblings, 2 replies; 11+ messages in thread
From: Sean Whitton @ 2024-04-08  7:05 UTC (permalink / raw)
  To: Ihor Radchenko; +Cc: emacs, emacs-devel, oss-security

[-- Attachment #1: Type: text/plain, Size: 1052 bytes --]

Hello Ihor,

The description for CVE-2024-30203 is

    In Emacs before 29.3, Gnus treats inline MIME contents as trusted.

and for CVE-2024-30204 is

    In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
    attachments.

but I think these commits

* ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el
  (untrusted-content): New variable.
* 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el
  (mm-display-inline-fontify): Mark contents untrusted.
* 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add
  protection when `untrusted-content' is non-nil

fix only a single problem, right?  But we have two CVEs.

It seems to me that either

- CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
  assigner of exactly what the vulnerabilities were

- CVE-2024-30203 is legitimate, and we have only fixed one possible way
  in which Gnus treats inline MIME content as trusted.

I think it's the first one -- can you confirm?

Thanks.

-- 
Sean Whitton

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 869 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Is CVE-2024-30203 bogus?
  2024-04-08  7:05 Is CVE-2024-30203 bogus? Sean Whitton
@ 2024-04-08 11:38 ` Eli Zaretskii
  2024-04-08 16:55   ` Max Nikulin
  2024-04-08 18:44 ` Ihor Radchenko
  1 sibling, 1 reply; 11+ messages in thread
From: Eli Zaretskii @ 2024-04-08 11:38 UTC (permalink / raw)
  To: Sean Whitton; +Cc: yantar92, emacs, emacs-devel, oss-security

> From: Sean Whitton <spwhitton@spwhitton.name>
> Cc: emacs@packages.debian.org, emacs-devel@gnu.org,
>  oss-security@lists.openwall.com
> Date: Mon, 08 Apr 2024 15:05:21 +0800
> 
> 
> The description for CVE-2024-30203 is
> 
>     In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
> 
> and for CVE-2024-30204 is
> 
>     In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
>     attachments.
> 
> but I think these commits
> 
> * ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el
>   (untrusted-content): New variable.
> * 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el
>   (mm-display-inline-fontify): Mark contents untrusted.
> * 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add
>   protection when `untrusted-content' is non-nil
> 
> fix only a single problem, right?  But we have two CVEs.
> 
> It seems to me that either
> 
> - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
>   assigner of exactly what the vulnerabilities were
> 
> - CVE-2024-30203 is legitimate, and we have only fixed one possible way
>   in which Gnus treats inline MIME content as trusted.
> 
> I think it's the first one -- can you confirm?

I'm not Ihor, but I cannot agree with you.  Those changes fixed two
problems, not one: both the fact that by default MIME attachments are
treated in a way that can execute arbitrary code, and the fact that
maliciously-constructed LaTeX attachment could exhaust all free space
on your disk.



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Is CVE-2024-30203 bogus?
  2024-04-08 11:38 ` Eli Zaretskii
@ 2024-04-08 16:55   ` Max Nikulin
  0 siblings, 0 replies; 11+ messages in thread
From: Max Nikulin @ 2024-04-08 16:55 UTC (permalink / raw)
  To: Eli Zaretskii, Sean Whitton; +Cc: yantar92, emacs, emacs-devel, oss-security

On 08/04/2024 18:38, Eli Zaretskii wrote:
>> From: Sean Whitton Date: Mon, 08 Apr 2024 15:05:21 +0800
>>
>> - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
>>    assigner of exactly what the vulnerabilities were
>>
>> - CVE-2024-30203 is legitimate, and we have only fixed one possible way
>>    in which Gnus treats inline MIME content as trusted.
>>
>> I think it's the first one -- can you confirm?
> 
> I'm not Ihor, but I cannot agree with you.  Those changes fixed two
> problems, not one: both the fact that by default MIME attachments are
> treated in a way that can execute arbitrary code, and the fact that
> maliciously-constructed LaTeX attachment could exhaust all free space
> on your disk.

Arbitrary code execution bug is neither CVE-2024-30203 nor 
CVE-2024-30204, it is

CVE-2024-30202 "In Emacs before 29.3, arbitrary Lisp code is evaluated 
as part of turning on Org mode. This affects Org Mode before 9.6.23."

and it is fixed by

- 
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb
- 
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9
2024-02-20 12:19:46 +0300 Ihor Radchenko: org-macro--set-templates: 
Prevent code evaluation

This commit fully covers both scenarios:
- inline preview for attachments in Gnus,
- a text file (not necessary having .org suffix) opened in Emacs directly.

I hope, rare users have Org mode or TeX engine configuration allowing 
execution of arbitrary shell commands during generation of LaTeX preview.

The commits mentioned by Sean suppress a kind of DoS (attempt to exhaust 
disk space or inodes allocated for /tmp) through LaTeX preview for email 
attachments. (There is no reasonable way to address the case when a 
malicious file is opened in Emacs.)



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Is CVE-2024-30203 bogus?
  2024-04-08  7:05 Is CVE-2024-30203 bogus? Sean Whitton
  2024-04-08 11:38 ` Eli Zaretskii
@ 2024-04-08 18:44 ` Ihor Radchenko
  2024-04-10 11:57   ` Is CVE-2024-30203 bogus? (Emacs) Sean Whitton
  1 sibling, 1 reply; 11+ messages in thread
From: Ihor Radchenko @ 2024-04-08 18:44 UTC (permalink / raw)
  To: Sean Whitton; +Cc: emacs, emacs-devel, oss-security

Sean Whitton <spwhitton@spwhitton.name> writes:

> The description for CVE-2024-30203 is
>
>     In Emacs before 29.3, Gnus treats inline MIME contents as trusted.

Before Emacs 29.3, there was no concept of trusted or untrusted content
in Emacs. We introduced it specifically to control whether we allow
running LaTeX on the contents of a given buffer. (And even in Emacs
29.3, the concept of untrusted contents is not yet official) So, at least
the title is misleading.

> and for CVE-2024-30204 is
>
>     In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
>     attachments.

This is closer to what was happening.
Note that LaTeX preview itself was not a problem. The problem was that we
executed actual latex program without user query with input taken from
buffer text to generate the previews (using the default settings). LaTeX
input can be specifically constructed to cause DOS when using LaTeX
compiler, which is especially dangerous when the input is coming from
emails.

Also, only GNUS and MUA clients re-using gnus libs (at least, notmuch
and mu4e) were affected. Not rmail, AFAIK.

> ...
> I think it's the first one -- can you confirm?

I hope that the above clarified things.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Is CVE-2024-30203 bogus? (Emacs)
  2024-04-08 18:44 ` Ihor Radchenko
@ 2024-04-10 11:57   ` Sean Whitton
  2024-04-10 12:04     ` Ihor Radchenko
  0 siblings, 1 reply; 11+ messages in thread
From: Sean Whitton @ 2024-04-10 11:57 UTC (permalink / raw)
  To: Ihor Radchenko; +Cc: emacs, emacs-devel, oss-security

Hello,

On Mon 08 Apr 2024 at 06:44pm GMT, Ihor Radchenko wrote:

> Sean Whitton <spwhitton@spwhitton.name> writes:
>
>> The description for CVE-2024-30203 is
>>
>>     In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>
> Before Emacs 29.3, there was no concept of trusted or untrusted content
> in Emacs. We introduced it specifically to control whether we allow
> running LaTeX on the contents of a given buffer. (And even in Emacs
> 29.3, the concept of untrusted contents is not yet official) So, at least
> the title is misleading.

Right, it's a purely preliminary change, not fixing any holes in itself.

>> and for CVE-2024-30204 is
>>
>>     In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
>>     attachments.
>
> This is closer to what was happening.
> Note that LaTeX preview itself was not a problem. The problem was that we
> executed actual latex program without user query with input taken from
> buffer text to generate the previews (using the default settings). LaTeX
> input can be specifically constructed to cause DOS when using LaTeX
> compiler, which is especially dangerous when the input is coming from
> emails.
>
> Also, only GNUS and MUA clients re-using gnus libs (at least, notmuch
> and mu4e) were affected. Not rmail, AFAIK.
>
>> ...
>> I think it's the first one -- can you confirm?
>
> I hope that the above clarified things.

Hmm, thank you, but let me ask a follow-up question: do you agree with
me that there is only one security flaw covered by these two CVEs, and
CVE-2024-30203 is the superfluous one?

-- 
Sean Whitton



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Is CVE-2024-30203 bogus? (Emacs)
  2024-04-10 11:57   ` Is CVE-2024-30203 bogus? (Emacs) Sean Whitton
@ 2024-04-10 12:04     ` Ihor Radchenko
  2024-04-10 14:17       ` Salvatore Bonaccorso
  0 siblings, 1 reply; 11+ messages in thread
From: Ihor Radchenko @ 2024-04-10 12:04 UTC (permalink / raw)
  To: Sean Whitton; +Cc: emacs, emacs-devel, oss-security

Sean Whitton <spwhitton@spwhitton.name> writes:

> Hmm, thank you, but let me ask a follow-up question: do you agree with
> me that there is only one security flaw covered by these two CVEs, and
> CVE-2024-30203 is the superfluous one?

Yes, CVE-2024-30203 title is superfluous.
And CVE-2024-30204 title is not accurate - it only applies to
certain attachments with specific (text/x-org) mime type.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Re: Is CVE-2024-30203 bogus? (Emacs)
  2024-04-10 12:04     ` Ihor Radchenko
@ 2024-04-10 14:17       ` Salvatore Bonaccorso
  2024-04-10 15:07         ` Max Nikulin
  2024-04-11  9:13         ` [oss-security] " Sean Whitton
  0 siblings, 2 replies; 11+ messages in thread
From: Salvatore Bonaccorso @ 2024-04-10 14:17 UTC (permalink / raw)
  To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8
  Cc: Sean Whitton, emacs-R+A61+qa7K2F9N/2sQ04j0B+6BGkLq7r,
	emacs-devel-mXXj517/zsQ

Hi,

On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote:
> Sean Whitton <spwhitton-PEZ64Ft4C9UnzZ6mRAm98g@public.gmane.org> writes:
> 
> > Hmm, thank you, but let me ask a follow-up question: do you agree with
> > me that there is only one security flaw covered by these two CVEs, and
> > CVE-2024-30203 is the superfluous one?
> 
> Yes, CVE-2024-30203 title is superfluous.
> And CVE-2024-30204 title is not accurate - it only applies to
> certain attachments with specific (text/x-org) mime type.

Note that the CVE assignment (by MITRE as assigning CNA) for
CVE-2024-30203 is explicitly as follows:

> In Emacs before 29.3, Gnus treats inline MIME contents as trusted.

associated with:

https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804

If you think the CVE assignment is not valid, then you might ask for a
REJECT on https://cveform.mitre.org/ .

Regards,
Salvatore


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Is CVE-2024-30203 bogus? (Emacs)
  2024-04-10 14:17       ` Salvatore Bonaccorso
@ 2024-04-10 15:07         ` Max Nikulin
  2024-04-11  9:12           ` Sean Whitton
  2024-04-11  9:13         ` [oss-security] " Sean Whitton
  1 sibling, 1 reply; 11+ messages in thread
From: Max Nikulin @ 2024-04-10 15:07 UTC (permalink / raw)
  To: oss-security; +Cc: Sean Whitton, emacs, emacs-devel, Ihor Radchenko

On 10/04/2024 21:17, Salvatore Bonaccorso wrote:
> On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote:
>>
>> Yes, CVE-2024-30203 title is superfluous.
>> And CVE-2024-30204 title is not accurate - it only applies to
>> certain attachments with specific (text/x-org) mime type.
[...]
> If you think the CVE assignment is not valid, then you might ask for a
> REJECT on https://cveform.mitre.org/ .

Do 2 CVE numbers make sense to track fixes in Emacs and Org mode? 
Various versions of Org mode may be loaded to different versions of 
Emacs and both parties must have fixes to avoid the issue.




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Is CVE-2024-30203 bogus? (Emacs)
  2024-04-10 15:07         ` Max Nikulin
@ 2024-04-11  9:12           ` Sean Whitton
  0 siblings, 0 replies; 11+ messages in thread
From: Sean Whitton @ 2024-04-11  9:12 UTC (permalink / raw)
  To: Max Nikulin; +Cc: oss-security, emacs, emacs-devel, Ihor Radchenko

[-- Attachment #1: Type: text/plain, Size: 820 bytes --]

Hello,

On Wed 10 Apr 2024 at 10:07pm +07, Max Nikulin wrote:

> On 10/04/2024 21:17, Salvatore Bonaccorso wrote:
>> On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote:
>>>
>>> Yes, CVE-2024-30203 title is superfluous.
>>> And CVE-2024-30204 title is not accurate - it only applies to
>>> certain attachments with specific (text/x-org) mime type.
> [...]
>> If you think the CVE assignment is not valid, then you might ask for a
>> REJECT on https://cveform.mitre.org/ .
>
> Do 2 CVE numbers make sense to track fixes in Emacs and Org mode? Various
> versions of Org mode may be loaded to different versions of Emacs and both
> parties must have fixes to avoid the issue.

My understanding is that one CVE for the same vulnerability in multiple
code bases is normal.

-- 
Sean Whitton

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 869 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [oss-security] Re: Is CVE-2024-30203 bogus? (Emacs)
  2024-04-10 14:17       ` Salvatore Bonaccorso
  2024-04-10 15:07         ` Max Nikulin
@ 2024-04-11  9:13         ` Sean Whitton
  2024-04-11 10:38           ` Max Nikulin
  1 sibling, 1 reply; 11+ messages in thread
From: Sean Whitton @ 2024-04-11  9:13 UTC (permalink / raw)
  To: Salvatore Bonaccorso; +Cc: oss-security, emacs, emacs-devel

[-- Attachment #1: Type: text/plain, Size: 618 bytes --]

Hello,

On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:

> Note that the CVE assignment (by MITRE as assigning CNA) for
> CVE-2024-30203 is explicitly as follows:
>
>> In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>
> associated with:
>
> https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804

This commit doesn't fix anything at all, just fyi.

> If you think the CVE assignment is not valid, then you might ask for a
> REJECT on https://cveform.mitre.org/ .

Okay, I'll do that, thanks.

-- 
Sean Whitton

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 869 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Is CVE-2024-30203 bogus? (Emacs)
  2024-04-11  9:13         ` [oss-security] " Sean Whitton
@ 2024-04-11 10:38           ` Max Nikulin
  0 siblings, 0 replies; 11+ messages in thread
From: Max Nikulin @ 2024-04-11 10:38 UTC (permalink / raw)
  To: Sean Whitton, Salvatore Bonaccorso
  Cc: oss-security, emacs, emacs-devel, Ihor Radchenko

On 11/04/2024 16:13, Sean Whitton wrote:
> On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:
> 
>> Note that the CVE assignment (by MITRE as assigning CNA) for
>> CVE-2024-30203 is explicitly as follows:
>>
>>> In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>>
>> https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
> 
> This commit doesn't fix anything at all, just fyi.

This Emacs commit

     2024-02-20 12:44:30 +0300 Ihor Radchenko:
     * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents 
untrusted.)

is not enough to fix the issue. More changes are required to make the
fix effective, namely

ccc188fcf98 2024-02-20 12:43:51 +0300 Ihor Radchenko: * lisp/files.el 
(untrusted-content): New variable.
6f9ea396f49 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: 
Add protection when `untrusted-content' is non-nil


When external Org mode is loaded, that version should contain

https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=03635a335
2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add 
protection when `untrusted-content' is non-nil

besides Emacs commits ccc188fcf98 and 937b9042ad7

Emacs commit 6f9ea396f49 (fix of built-in Org mode) is currently
associated with CVE-2024-30203, however Org mode commit 03635a335
is not.



^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2024-04-11 10:38 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-08  7:05 Is CVE-2024-30203 bogus? Sean Whitton
2024-04-08 11:38 ` Eli Zaretskii
2024-04-08 16:55   ` Max Nikulin
2024-04-08 18:44 ` Ihor Radchenko
2024-04-10 11:57   ` Is CVE-2024-30203 bogus? (Emacs) Sean Whitton
2024-04-10 12:04     ` Ihor Radchenko
2024-04-10 14:17       ` Salvatore Bonaccorso
2024-04-10 15:07         ` Max Nikulin
2024-04-11  9:12           ` Sean Whitton
2024-04-11  9:13         ` [oss-security] " Sean Whitton
2024-04-11 10:38           ` Max Nikulin

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).