From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Max Nikulin Newsgroups: gmane.emacs.devel,gmane.comp.security.oss.general Subject: Re: Is CVE-2024-30203 bogus? (Emacs) Date: Wed, 10 Apr 2024 22:07:02 +0700 Message-ID: References: <874jccjpvy.fsf@melete.silentflame.com> <87y19nu22i.fsf@localhost> <87bk6he8h4.fsf_-_@melete.silentflame.com> <87o7ahe85l.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27339"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: Sean Whitton , emacs@packages.debian.org, emacs-devel@gnu.org, Ihor Radchenko To: oss-security@lists.openwall.com Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Apr 10 17:08:08 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ruZYW-0006q6-0K for ged-emacs-devel@m.gmane-mx.org; Wed, 10 Apr 2024 17:08:08 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruZXa-0001tb-G9; Wed, 10 Apr 2024 11:07:11 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruZXY-0001tK-Gp for emacs-devel@gnu.org; Wed, 10 Apr 2024 11:07:08 -0400 Original-Received: from mail-lf1-x12a.google.com ([2a00:1450:4864:20::12a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ruZXW-0000tx-NR for emacs-devel@gnu.org; Wed, 10 Apr 2024 11:07:08 -0400 Original-Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-516d0c004b1so8127979e87.2 for ; Wed, 10 Apr 2024 08:07:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712761624; x=1713366424; darn=gnu.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=kvMdjO5994N9JVffWOlZoOn2asg/cwqM10L+1BlJYEE=; b=mJ7iERGe+fNXHy2ZHHnh1kYnPvM9wkJcd4hICT05Cq5jUZ8Zvk83XtXpTpVMLGoDdQ tLf6Hp65+xLjaV2asBVdaddE51jnIGxYyQIuhi3dkKqcaI00IlITtEev3XKPP83r88dp GI2Rfz4EHGwX5/WZQyZMZPUWJ8tRb/1xEONNSnMCP7DcBIOk5PndG6znbqQs01UGoYhf oM7/5QANLD3Vq443rL9T/fShqMATsMhwBE89kdQ4lhdIYBSNQRjwGYlzXC/g4IkHP7Tt yuuHheIyfCay/aUrZVuc2RIPl4KrQw6fLywLqY9SS1waF3pfNyAS09s0rO1Spb9JG9BU O55A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712761624; x=1713366424; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kvMdjO5994N9JVffWOlZoOn2asg/cwqM10L+1BlJYEE=; b=MTa+rZrpu5rMr0CJrhWsKhEY/EacqsBiNHVeRnoPKZ6hqwSxIfsM6/7WkDy6ZYGBaa b+6U9nXkCcfsUP84VFHPeOTAtO4q4IQcT0ZAgPYrcBjJuipp6qvSNmXwu8NZ7n8q3KN3 YExj5K8gAyhGm/yRD1WrIer3sgm0RqyyHM1L2VnxN3yWDpxqKEDRCcKmiQ6PA0lzbWbv LSdWeXRm4PXzkxIIH+IEbFc+y5w/mRBGyw8zoLsYbMrPo4kklTIledJ/S8ceNaRqGi8q vL0EEpke1NkEm5uI9fFR0dp9Lwzd4Bw3vlcyrm7wfQbp80nQMQfo64bDJjdM9xmqpf+0 UUJA== X-Forwarded-Encrypted: i=1; AJvYcCUAUYJt856gcjej39AQXL/fZYpd0tYze3X7zjPRUJFy8iq3QGOqSjgUXalPWz196EtzJSGpqQ02NH0QbCAw2qN4tgb8 X-Gm-Message-State: AOJu0YwM2A9tEYt6Eaq3A6t/9QHwjuqncXFTjwTb4OyQUZOIpCzjwV3X lEbTvbXx2ZJIHxAnNpRIDWSY2fy7vanykTnzQpJPGNhlp0y7jpNc X-Google-Smtp-Source: AGHT+IHL/Wscnq3dnz8WVqJolJ3U8UAr+AdshMTgJ60KkBW7ah+sw6Q5lUIpuiWGxIeQz9CklZ8UFQ== X-Received: by 2002:ac2:5dce:0:b0:516:cf23:588 with SMTP id x14-20020ac25dce000000b00516cf230588mr2019515lfq.27.1712761624253; Wed, 10 Apr 2024 08:07:04 -0700 (PDT) Original-Received: from [192.168.0.102] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id s24-20020a195e18000000b00515cb6ef13asm1898312lfb.289.2024.04.10.08.07.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 Apr 2024 08:07:03 -0700 (PDT) Content-Language: en-US, ru-RU In-Reply-To: Received-SPF: pass client-ip=2a00:1450:4864:20::12a; envelope-from=manikulin@gmail.com; helo=mail-lf1-x12a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317662 gmane.comp.security.oss.general:30111 Archived-At: On 10/04/2024 21:17, Salvatore Bonaccorso wrote: > On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote: >> >> Yes, CVE-2024-30203 title is superfluous. >> And CVE-2024-30204 title is not accurate - it only applies to >> certain attachments with specific (text/x-org) mime type. [...] > If you think the CVE assignment is not valid, then you might ask for a > REJECT on https://cveform.mitre.org/ . Do 2 CVE numbers make sense to track fixes in Emacs and Org mode? Various versions of Org mode may be loaded to different versions of Emacs and both parties must have fixes to avoid the issue.