From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Max Nikulin Newsgroups: gmane.emacs.devel,gmane.comp.security.oss.general Subject: Re: Is CVE-2024-30203 bogus? (Emacs) Date: Thu, 11 Apr 2024 17:38:48 +0700 Message-ID: <29c2fa7d-febb-4496-bac7-a963998d7bcb@gmail.com> References: <874jccjpvy.fsf@melete.silentflame.com> <87y19nu22i.fsf@localhost> <87bk6he8h4.fsf_-_@melete.silentflame.com> <87o7ahe85l.fsf@localhost> <87y19kcle1.fsf@melete.silentflame.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10720"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: oss-security@lists.openwall.com, emacs@packages.debian.org, emacs-devel@gnu.org, Ihor Radchenko To: Sean Whitton , Salvatore Bonaccorso Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Apr 11 12:39:40 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rurqG-0002WB-BN for ged-emacs-devel@m.gmane-mx.org; Thu, 11 Apr 2024 12:39:40 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rurpY-0001fn-Kp; Thu, 11 Apr 2024 06:38:56 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rurpW-0001f4-LN for emacs-devel@gnu.org; Thu, 11 Apr 2024 06:38:54 -0400 Original-Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rurpU-0003RT-Ud for emacs-devel@gnu.org; Thu, 11 Apr 2024 06:38:54 -0400 Original-Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-5171a529224so5189992e87.0 for ; Thu, 11 Apr 2024 03:38:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712831931; x=1713436731; darn=gnu.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=Spwb+Xa80oMp2lygGVi7vbURVNTX8+CsbJkj71AywgQ=; b=GMJX4tAHekSS2bRmfYr8cKfJmxxM9wyyBk3sA12K55Oll5h0NVfEjBQGQAsEUtsNVI p+sGl/LXxUSc8M0lgpMJST8BIDBqCAtt7+toMZY3Q5aTo3Sc9DLI96wYAXk+frWXBlEL eCkpdDD/jwdmHWPbZ+LJlD72GlutM4CeWtCQdVxyIaTBZZRlETnbyDObRWLf+NGJVORC kN5QFIPQmVYZfuxq9YC6jhdfw3gapQf3u7LX4PfCKMYCk+70OuG0nDA3RZ+EfTRF9Zf2 jo3ZTQpb/PjuRylrDvughZef+plhfDdyYVXgQtmY25Vsu+596/PNLGJidJTR4Uhx8GFw 4EJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712831931; x=1713436731; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Spwb+Xa80oMp2lygGVi7vbURVNTX8+CsbJkj71AywgQ=; b=qg+wKSywFzxM9L0/IyyZKkaKkHD3Y0OMmwWD0/QSMu4OlMkTaEVBG2/I/mk+ic9385 vrFmXsPTkbN8wowb8h9gpuKQlslFVoNI56G5DCetvW6O0i9i6Z8Luj8/T/x0ndXF5iPG Npi6Oe4/NrBg4LpAwLl5xFjcifgA/SKDpiLPgRiwCdmT+6kW/dFdDqaaD7qJXM/lZUHe p3CGbJeLeBlrktk98HCv/eNVhlX2nEiOejsn4JkJHu72vNxnFOqirENDdIFpwd5+ncjc 0p+8RE0aUyg97tNuXboEB/svNHpM2GV+IIaDdsV0Z937ILYCDWGlyWvddXhbgAsIN6EE JReg== X-Forwarded-Encrypted: i=1; AJvYcCURLNTHSSkYqwOQiPxjRlBZOwqmZkOVzZRJB2J74r+AKUVdiWK7Xhh8awe8d5w5T1h08AHwKrKLKbT5XIQsujEbG9m+ X-Gm-Message-State: AOJu0YwqKqPU0kv4LTK0n3ATaivIPeQzBA6+uHt7KxPXIUnO7BYkEVqk nfHwaLWyk5LgS2r6jEn9BSjKPUNy+vOC+QrCI8ioSBSz3h7gT1Qa X-Google-Smtp-Source: AGHT+IF4dPbmdc67/ejK/aBxgiNFWzQCuRId5sihYqhAbFMCVS9dzT9+kd8rm2JpNK3tYUH5nIMj/A== X-Received: by 2002:ac2:42ca:0:b0:516:cd76:ee11 with SMTP id n10-20020ac242ca000000b00516cd76ee11mr3255617lfl.17.1712831930417; Thu, 11 Apr 2024 03:38:50 -0700 (PDT) Original-Received: from [192.168.0.102] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id t9-20020a199109000000b00516c1fa74e3sm174276lfd.207.2024.04.11.03.38.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 11 Apr 2024 03:38:50 -0700 (PDT) Content-Language: en-US, ru-RU In-Reply-To: <87y19kcle1.fsf@melete.silentflame.com> Received-SPF: pass client-ip=2a00:1450:4864:20::12e; envelope-from=manikulin@gmail.com; helo=mail-lf1-x12e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317679 gmane.comp.security.oss.general:30131 Archived-At: On 11/04/2024 16:13, Sean Whitton wrote: > On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote: > >> Note that the CVE assignment (by MITRE as assigning CNA) for >> CVE-2024-30203 is explicitly as follows: >> >>> In Emacs before 29.3, Gnus treats inline MIME contents as trusted. >> >> https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804 > > This commit doesn't fix anything at all, just fyi. This Emacs commit 2024-02-20 12:44:30 +0300 Ihor Radchenko: * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents untrusted.) is not enough to fix the issue. More changes are required to make the fix effective, namely ccc188fcf98 2024-02-20 12:43:51 +0300 Ihor Radchenko: * lisp/files.el (untrusted-content): New variable. 6f9ea396f49 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add protection when `untrusted-content' is non-nil When external Org mode is loaded, that version should contain https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=03635a335 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add protection when `untrusted-content' is non-nil besides Emacs commits ccc188fcf98 and 937b9042ad7 Emacs commit 6f9ea396f49 (fix of built-in Org mode) is currently associated with CVE-2024-30203, however Org mode commit 03635a335 is not.