From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ihor Radchenko Newsgroups: gmane.emacs.devel,gmane.comp.security.oss.general Subject: Re: Is CVE-2024-30203 bogus? (Emacs) Date: Wed, 10 Apr 2024 12:04:06 +0000 Message-ID: <87o7ahe85l.fsf@localhost> References: <874jccjpvy.fsf@melete.silentflame.com> <87y19nu22i.fsf@localhost> <87bk6he8h4.fsf_-_@melete.silentflame.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="28849"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs@packages.debian.org, emacs-devel@gnu.org, oss-security@lists.openwall.com To: Sean Whitton Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Apr 10 14:04:35 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ruWgt-0007Gx-Ic for ged-emacs-devel@m.gmane-mx.org; Wed, 10 Apr 2024 14:04:35 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruWgA-0006TC-1G; Wed, 10 Apr 2024 08:03:50 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruWg7-0006RY-8V for emacs-devel@gnu.org; Wed, 10 Apr 2024 08:03:47 -0400 Original-Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruWg5-00013g-2T for emacs-devel@gnu.org; Wed, 10 Apr 2024 08:03:47 -0400 Original-Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 2DB32240103 for ; Wed, 10 Apr 2024 14:03:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1712750622; bh=lTl84K3MG4opsaM5R8fAZK9h7hi1aGd6gIu208zTUsA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: From; b=OrubF5CknGLUNPgI5SH5s4AQygqQelFheL+R+kL60pBvx/yfkjeRdI3viKLuaRZkO +xNCIJxCxwMIQhVMDjN9mZP4X6NufCQF1NZSMjrnOSSL2Tp5w14cDcrX6umiLllY7M igik53y3BnKvNQqszoRf1fypqYlPeGR52NKvkC5+j9cUfSp1E9h3IMU9H9ou6YolCX g6/tqRkWMZDwBvsTHG0aZiX2FoltWVzU/UL4tJKmEOf9/OWONhTdfst8u4+tKEz6e7 GPZFy2GyX1NqDWSOyWdAtQjkKFMbXshDbIk7ja9Ufq43nmUSwKG06hlnbQsPqaATCX U6c88J391WFNw== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4VF1gw4kJvz6txY; Wed, 10 Apr 2024 14:03:40 +0200 (CEST) In-Reply-To: <87bk6he8h4.fsf_-_@melete.silentflame.com> Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317655 gmane.comp.security.oss.general:30109 Archived-At: Sean Whitton writes: > Hmm, thank you, but let me ask a follow-up question: do you agree with > me that there is only one security flaw covered by these two CVEs, and > CVE-2024-30203 is the superfluous one? Yes, CVE-2024-30203 title is superfluous. And CVE-2024-30204 title is not accurate - it only applies to certain attachments with specific (text/x-org) mime type. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at