From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Sean Whitton <spwhitton@spwhitton.name>
Newsgroups: gmane.emacs.devel,gmane.comp.security.oss.general
Subject: Re: Is CVE-2024-30203 bogus? (Emacs)
Date: Wed, 10 Apr 2024 19:57:11 +0800
Message-ID: <87bk6he8h4.fsf_-_@melete.silentflame.com>
References: <874jccjpvy.fsf@melete.silentflame.com> <87y19nu22i.fsf@localhost>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="33735"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: emacs@packages.debian.org,  emacs-devel@gnu.org,
 oss-security@lists.openwall.com
To: Ihor Radchenko <yantar92@posteo.net>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Apr 10 13:57:50 2024
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1ruWaK-0008WW-Cs
	for ged-emacs-devel@m.gmane-mx.org; Wed, 10 Apr 2024 13:57:50 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1ruWZx-0004YQ-Ra; Wed, 10 Apr 2024 07:57:26 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <spwhitton@spwhitton.name>)
 id 1ruWZs-0004Xo-QT
 for emacs-devel@gnu.org; Wed, 10 Apr 2024 07:57:21 -0400
Original-Received: from wfout1-smtp.messagingengine.com ([64.147.123.144])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <spwhitton@spwhitton.name>)
 id 1ruWZq-0008Jb-U2
 for emacs-devel@gnu.org; Wed, 10 Apr 2024 07:57:20 -0400
Original-Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
 by mailfout.west.internal (Postfix) with ESMTP id 75EAB1C000FB;
 Wed, 10 Apr 2024 07:57:15 -0400 (EDT)
Original-Received: from mailfrontend1 ([10.202.2.162])
 by compute1.internal (MEProxy); Wed, 10 Apr 2024 07:57:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spwhitton.name;
 h=cc:cc:content-type:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:subject:subject:to:to; s=fm1; t=1712750234; x=
 1712836634; bh=B63DFjaCgNNvHZZOHLQd+yZyw28l8z97xH+hlDrLEps=; b=X
 xIq6NJKWB/1hVMmwY6HBXregyupK0pWrXcxn4J03hceVMr09nui4kwxyVCan3mTK
 wnzo0m8J83r2i1kQpU88GTsPtzXLqf7Jx4Ec97LhRexJM1eTi6+DE9Q0DlMtiKZm
 JT8e3+InuIo3ye9jPXphRD24FZb0T6kWM1PAriMb6wOoShv2WtiiyzCTeOOXgltM
 7/+CZmG1RkDWjMYB9jVZrdRatK/TRfPhPLyKjM78e0kGs76wRrugCjgLisEV8eE9
 BDjdNI3Cm0OF9Fn/7qSWZMejYDfcGSHibhJGyRjz5hVHSCoBvAyBfVpwQ/kOVnQK
 TWUJIO/uOlXiOAq9D+RJA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:cc:content-type:content-type:date:date
 :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
 :message-id:mime-version:references:reply-to:subject:subject:to
 :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; t=1712750234; x=1712836634; bh=B63DFjaCgNNvHZZOHLQd+yZyw28l
 8z97xH+hlDrLEps=; b=JGIhtCdzYOYMlDKcc/RBn/sVr/94CQycyRzmnpUmKRRj
 4NvUs3kEyS+wrnMb3GZp55HZR9K5mtWaWYcOT5jRsMvoJ68AR++VP6xf9pqAtjtJ
 soCM2LQLDPsJ134gMKXt2oap1z2mFRQJszVWsrGz5Qv6HRoPTuYr8hTHoo3lGbIt
 xvt0LRHrRyqF7CHqjaXwGppJL6MYmgZUbDSWloUhrybUBbsnkQW0OUA2GnfIcnzN
 Nti8okeBnmv1ZBV6HJsbCdZ168EK0ULYSZlzpSqqcEWSivSgMy/COlIpT8WT6/lL
 TuK58VL5EIMzEXsrsPYlrNGhH0DByc9tboRQ9S4qOQ==
X-ME-Sender: <xms:mn4WZg6sLCpQ2g_Z6LINWrn5OrhA374JhfQ6X11lRdYY4W-mwjzBtA>
 <xme:mn4WZh7ydyBa9FMCyOU4EmET8jVOCNX3nVlzamwpeWT-I6qFHNA5JRpaDxLlP5J1G
 vCPym9oUOT_Lpl4Hw>
X-ME-Received: <xmr:mn4WZvdiocXOyMsxaZnVKTiOJLUx4yS9AGEthxOBTYyFWCjGQ-XIfmcJ8lAe59GtEsIbB0Ev2-vSiA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudehiedggeegucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufgjfhgffffkgggtsehttd
 dttddtredtnecuhfhrohhmpefuvggrnhcuhghhihhtthhonhcuoehsphifhhhithhtohhn
 sehsphifhhhithhtohhnrdhnrghmvgeqnecuggftrfgrthhtvghrnhepvdejtedtieetje
 egjeekgffghedtkeeltdeftdetkefgueekfedtudfhteeljeeknecuvehluhhsthgvrhfu
 ihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshhpfihhihhtthhonhesshhpfi
 hhihhtthhonhdrnhgrmhgv
X-ME-Proxy: <xmx:mn4WZlJ5ONe3k6Sh-Rq6c9haNvNF3xUHk8op5NlDJYqCGUmBCp5zLw>
 <xmx:mn4WZkIY549VRWNBSMgk73FQ5cCOchcLrKLyZG_rABKGebeZoVXIwA>
 <xmx:mn4WZmw87_7UlwrhAoW9yjrkA0kq7ApPPgFy5SVaXg2K0YRL2he1wg>
 <xmx:mn4WZoJTU0qCs89S3B4eVjVWwnAAd-exU1NFUXLUvaUVNCRfwdPgdg>
 <xmx:mn4WZpEQV3q7bGTM_JIlT6lPZjoTf0YolEKMOH_yLZwZ9XbkM7YXVHsN>
Feedback-ID: i23c04076:Fastmail
Original-Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 10 Apr 2024 07:57:14 -0400 (EDT)
Original-Received: by melete.silentflame.com (Postfix, from userid 1000)
 id 8976D7EB28C; Wed, 10 Apr 2024 19:57:11 +0800 (CST)
In-Reply-To: <87y19nu22i.fsf@localhost> (Ihor Radchenko's message of "Mon, 08
 Apr 2024 18:44:21 +0000")
Received-SPF: pass client-ip=64.147.123.144;
 envelope-from=spwhitton@spwhitton.name; helo=wfout1-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:317654 gmane.comp.security.oss.general:30108
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/317654>

Hello,

On Mon 08 Apr 2024 at 06:44pm GMT, Ihor Radchenko wrote:

> Sean Whitton <spwhitton@spwhitton.name> writes:
>
>> The description for CVE-2024-30203 is
>>
>>     In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>
> Before Emacs 29.3, there was no concept of trusted or untrusted content
> in Emacs. We introduced it specifically to control whether we allow
> running LaTeX on the contents of a given buffer. (And even in Emacs
> 29.3, the concept of untrusted contents is not yet official) So, at least
> the title is misleading.

Right, it's a purely preliminary change, not fixing any holes in itself.

>> and for CVE-2024-30204 is
>>
>>     In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
>>     attachments.
>
> This is closer to what was happening.
> Note that LaTeX preview itself was not a problem. The problem was that we
> executed actual latex program without user query with input taken from
> buffer text to generate the previews (using the default settings). LaTeX
> input can be specifically constructed to cause DOS when using LaTeX
> compiler, which is especially dangerous when the input is coming from
> emails.
>
> Also, only GNUS and MUA clients re-using gnus libs (at least, notmuch
> and mu4e) were affected. Not rmail, AFAIK.
>
>> ...
>> I think it's the first one -- can you confirm?
>
> I hope that the above clarified things.

Hmm, thank you, but let me ask a follow-up question: do you agree with
me that there is only one security flaw covered by these two CVEs, and
CVE-2024-30203 is the superfluous one?

-- 
Sean Whitton