From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Sean Whitton <spwhitton@spwhitton.name>
Newsgroups: gmane.emacs.devel,gmane.comp.security.oss.general
Subject: Re: Is CVE-2024-30203 bogus? (Emacs)
Date: Thu, 11 Apr 2024 17:12:37 +0800
Message-ID: <8734rsdzzu.fsf@melete.silentflame.com>
References: <874jccjpvy.fsf@melete.silentflame.com> <87y19nu22i.fsf@localhost>
 <87bk6he8h4.fsf_-_@melete.silentflame.com>
 <87o7ahe85l.fsf@localhost> <Zhafa3wcZONJX-_k@eldamar.lan>
 <fb09b3ff-6187-46b3-b544-182e7dd76412@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="9572"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: oss-security@lists.openwall.com,  emacs@packages.debian.org,
 emacs-devel@gnu.org,  Ihor Radchenko <yantar92@posteo.net>
To: Max Nikulin <manikulin@gmail.com>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Apr 11 11:13:50 2024
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1ruqV9-0002IB-UE
	for ged-emacs-devel@m.gmane-mx.org; Thu, 11 Apr 2024 11:13:49 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1ruqUM-0007E2-5p; Thu, 11 Apr 2024 05:12:58 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <spwhitton@spwhitton.name>)
 id 1ruqUK-0007DX-Qy
 for emacs-devel@gnu.org; Thu, 11 Apr 2024 05:12:56 -0400
Original-Received: from wfout6-smtp.messagingengine.com ([64.147.123.149])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <spwhitton@spwhitton.name>)
 id 1ruqUG-0005t3-KU
 for emacs-devel@gnu.org; Thu, 11 Apr 2024 05:12:54 -0400
Original-Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
 by mailfout.west.internal (Postfix) with ESMTP id 99B951C00132;
 Thu, 11 Apr 2024 05:12:49 -0400 (EDT)
Original-Received: from mailfrontend2 ([10.202.2.163])
 by compute2.internal (MEProxy); Thu, 11 Apr 2024 05:12:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spwhitton.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=fm1; t=1712826769; x=
 1712913169; bh=XuFkmio5B4kzkblNM4eNxp6uFKhE1gjXdBPpLn9za0g=; b=e
 euzoDKSRFvQqMBWL4XGZj5DVTUiJaffUHGU4e9UUo5MPsnX6l6/kLe2Hit65Acr9
 11G66TT79+vjlew6CHcNEdtsDhPQXl5ZNMvbSngvUExDX0VhspGGn+4nhqP8OLMQ
 cSBgSg9I5zR0iojBZ2eCc/gUqffF/LvZPx82tttzAJEpm+A23pDwSgrLh6w9ufgY
 bgsQNk0JFH1ILjjZ+Cr74BXzkUXL5HMIV/sFqH8+jgHnMt5xoMQwGvqZmREevEBE
 U2He1+00p5j2YCTpTD88garHN1KNDUio2ALnixtkh/ZF665HOSJnKdiZ2ApUfWNR
 KYf10WSsqsiQL8SA93N5g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:subject:subject:to
 :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; t=1712826769; x=1712913169; bh=XuFkmio5B4kzkblNM4eNxp6uFKhE
 1gjXdBPpLn9za0g=; b=DGs7TQoKwXl0EqqinzRqhoAic0yLLzQYG3o/2yeNeIWx
 c2qu2DbblxccG6Pt8FTrymZKKFtJ4JXVbaEeh1mYKwPnGp4PXGQM1osM+0/matfe
 59nPU7DInx6x87ft62doePToDFpoWhXUvE1Dln3ivfTW1687FWxahE9pkknZfoxL
 eNnEdsUJPUD+g3+YqjFh2ehPk/znRe9p9pWIfp1SagY25Ho7naTj1fOJmZXOy84c
 2sLlocuXpDoNzThlhXOG4uNGbLYcHjdoZMAZXxbNXtzjZO2qk/MlUItQPFl/OU5M
 YcUyTwqPskEJUtDl53nEYn3bRkBtNqBqYQl1DscgzQ==
X-ME-Sender: <xms:kKkXZvG8UVRw-dZUK1oduyqsHmXNt0v3sfEal9RDCU4d7Rm6m0oyHA>
 <xme:kKkXZsUUsMpiC5-3zrb7jz7N5sDpDC2Nc22R1FnKCnkgpnioakojbUvfNaMGOsrk8
 sCJOKr3O8_DEqtPPA>
X-ME-Received: <xmr:kKkXZhIunnKdAaRSOsjWum_N79yvn5h5o5xgTo-i7Iu5fUpwNpXTHHQepOl-vMzoqd_26-T5urDL7w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudehkedgudefucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhephffvvefujghffffkfgggtgesghdttdertdertdenucfhrhhomhepufgvrghn
 ucghhhhithhtohhnuceoshhpfihhihhtthhonhesshhpfihhihhtthhonhdrnhgrmhgvqe
 enucggtffrrghtthgvrhhnpeeivdegfedvgfelleehieejveffhfejheeltdekgffggffh
 jeegieegteeivedvgfenucffohhmrghinhepmhhithhrvgdrohhrghenucevlhhushhtvg
 hrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsphifhhhithhtohhnsehs
 phifhhhithhtohhnrdhnrghmvg
X-ME-Proxy: <xmx:kKkXZtE1OUTqUsT3BgYOitHLjv0CD5VqpGWlN6ytw0jEywCid0_RCg>
 <xmx:kKkXZlV0pYnqOBJcMjLNSd72_kXx_18gUGHBRELmRxkS6ZZmpcslmA>
 <xmx:kKkXZoOCObfXSEdS47RjhcpLR4LaKJA_l_HwKKttacwTVN-C3NuCZQ>
 <xmx:kKkXZk3VHwxLeZ4-dRXsV2sgTlWbU8Zje2aMl6HlYfiPGykIy7dbgw>
 <xmx:kakXZjeO_AHij0dD9P63x6VgysQebbDHI3AHWb2SRZJqZlCEJovqVmXA>
Feedback-ID: i23c04076:Fastmail
Original-Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 11 Apr 2024 05:12:48 -0400 (EDT)
Original-Received: by melete.silentflame.com (Postfix, from userid 1000)
 id 6972F7E87B4; Thu, 11 Apr 2024 17:12:41 +0800 (CST)
In-Reply-To: <fb09b3ff-6187-46b3-b544-182e7dd76412@gmail.com> (Max Nikulin's
 message of "Wed, 10 Apr 2024 22:07:02 +0700")
Received-SPF: pass client-ip=64.147.123.149;
 envelope-from=spwhitton@spwhitton.name; helo=wfout6-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:317677 gmane.comp.security.oss.general:30129
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/317677>

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello,

On Wed 10 Apr 2024 at 10:07pm +07, Max Nikulin wrote:

> On 10/04/2024 21:17, Salvatore Bonaccorso wrote:
>> On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote:
>>>
>>> Yes, CVE-2024-30203 title is superfluous.
>>> And CVE-2024-30204 title is not accurate - it only applies to
>>> certain attachments with specific (text/x-org) mime type.
> [...]
>> If you think the CVE assignment is not valid, then you might ask for a
>> REJECT on https://cveform.mitre.org/ .
>
> Do 2 CVE numbers make sense to track fixes in Emacs and Org mode? Various
> versions of Org mode may be loaded to different versions of Emacs and both
> parties must have fixes to avoid the issue.

My understanding is that one CVE for the same vulnerability in multiple
code bases is normal.

=2D-=20
Sean Whitton

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmYXqYYZHHNwd2hpdHRv
bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQNIhD/0YfioHDT/4heoRCVmvo1Md
OjJE9tL7UYBJcu9q5ujgxAS5PVBeckgcuXnzzC57vt8JVnKs5TLMxIYH/ARXAGsm
D0sarTxXc6rqdswx4McU/itCGoGWQFmnmFwLcdriB9sLFhkC4HKF5pb+LJuNcL9f
kMvN+JwjzSCUzvRp2i7AJAWbSkQQQXpPMwke3xWXsHXDhXJnCukxV7bsHF/xcQLI
O5Mn+2alTLAEKh3pYUScc4DJ4DDkWjI5p0E24quLRm4EnzpMiZo77qXB8Psbx6mC
lef8pyVDDCAQv+ONBtkicnvg4rIVrnQ5hRE3BpXYShLSSbEx/XH5sCpXWdOQD0j8
a5xj5UiY2f5Rmf0qBpmCzPbsG6JDWxp2bICRaZB+W1lJFs9eDDX9PKSaRflvdFdb
FG3A1bxQE+C3OStBz3NbmOlQqL0E+cgnm6brV/QXm5sIBYDjxDeshQQGyBcKciXH
jBTlB/vubkG8ITme9JD9cStCgzOwabIOq3Dwly1muzMEnM4MnA36RyZ3qaDJtIi9
0opPOfTqlDXHjgzt0AYcaSsGlR14v9VnOXdDfhTVjD3RehUv6WqRgjZhlV3YHs56
67gbEIvi1cFGyrfefYDXs/cOfzB7sbBlaMuYLtK1tCU8lwtHgQubPiXS7Lgb7BbK
iMelSecOx+IQbpA1PivkAw==
=mOir
-----END PGP SIGNATURE-----
--=-=-=--