From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel,gmane.comp.security.oss.general Subject: Re: Is CVE-2024-30203 bogus? Date: Mon, 08 Apr 2024 14:38:35 +0300 Message-ID: <865xwsythg.fsf@gnu.org> References: <874jccjpvy.fsf@melete.silentflame.com> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="338"; mail-complaints-to="usenet@ciao.gmane.io" Cc: yantar92@posteo.net, emacs@packages.debian.org, emacs-devel@gnu.org, oss-security@lists.openwall.com To: Sean Whitton Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Apr 08 13:39:17 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rtnLJ-000AQB-KG for ged-emacs-devel@m.gmane-mx.org; Mon, 08 Apr 2024 13:39:17 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rtnKj-0007Eu-9Y; Mon, 08 Apr 2024 07:38:41 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rtnKh-0007Ei-9m for emacs-devel@gnu.org; Mon, 08 Apr 2024 07:38:40 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rtnKf-0007Jd-AG; Mon, 08 Apr 2024 07:38:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=4y/B4caoSDOYMgyU0RgD6+hiNbjvvqChqVRLSLLe228=; b=OK0L097wmAiT 9meqfgBBA9zhtLdUwqG4g0QNhSZEjArmf3Y8e3PQr9y+CG9LXbgLtbgPvbGS+qlIXZA50GmqNaIRD 6JlS8v/COMuc0sU9yZ5CXHb+vviJdMawphPhbczcA5tSG3ZORjGn4uu4MX7whyEd0HzoRI6hpS4Mq f7r04XZ8PIB6TxSBuNefQVUjx3sHXXqe9K852PfpuXt0soqJLGzas2GyY003wdkE+eUGJ/k021WWo jALKumvKRD6PuL/m0lhWOuUl7878kXKok3fHV6GdxGw3sLhFcU2Ncm2W7UMTK/CHXYYmcuBlm/h7x z0lDvjN8bFNNR1/flap+qQ==; In-Reply-To: <874jccjpvy.fsf@melete.silentflame.com> (message from Sean Whitton on Mon, 08 Apr 2024 15:05:21 +0800) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317603 gmane.comp.security.oss.general:30082 Archived-At: > From: Sean Whitton > Cc: emacs@packages.debian.org, emacs-devel@gnu.org, > oss-security@lists.openwall.com > Date: Mon, 08 Apr 2024 15:05:21 +0800 > > > The description for CVE-2024-30203 is > > In Emacs before 29.3, Gnus treats inline MIME contents as trusted. > > and for CVE-2024-30204 is > > In Emacs before 29.3, LaTeX preview is enabled by default for e-mail > attachments. > > but I think these commits > > * ccc188fcf98..: Ihor Radchenko 2024-02-20 * lisp/files.el > (untrusted-content): New variable. > * 937b9042ad7..: Ihor Radchenko 2024-02-20 * lisp/gnus/mm-view.el > (mm-display-inline-fontify): Mark contents untrusted. > * 6f9ea396f49..: Ihor Radchenko 2024-02-20 org-latex-preview: Add > protection when `untrusted-content' is non-nil > > fix only a single problem, right? But we have two CVEs. > > It seems to me that either > > - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs > assigner of exactly what the vulnerabilities were > > - CVE-2024-30203 is legitimate, and we have only fixed one possible way > in which Gnus treats inline MIME content as trusted. > > I think it's the first one -- can you confirm? I'm not Ihor, but I cannot agree with you. Those changes fixed two problems, not one: both the fact that by default MIME attachments are treated in a way that can execute arbitrary code, and the fact that maliciously-constructed LaTeX attachment could exhaust all free space on your disk.