From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Sean Whitton Newsgroups: gmane.emacs.devel,gmane.comp.security.oss.general Subject: Re: [oss-security] Re: Is CVE-2024-30203 bogus? (Emacs) Date: Thu, 11 Apr 2024 17:13:26 +0800 Message-ID: <87y19kcle1.fsf@melete.silentflame.com> References: <874jccjpvy.fsf@melete.silentflame.com> <87y19nu22i.fsf@localhost> <87bk6he8h4.fsf_-_@melete.silentflame.com> <87o7ahe85l.fsf@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10910"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: oss-security@lists.openwall.com, emacs@packages.debian.org, emacs-devel@gnu.org To: Salvatore Bonaccorso Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Apr 11 11:14:03 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ruqVN-0002XU-6C for ged-emacs-devel@m.gmane-mx.org; Thu, 11 Apr 2024 11:14:02 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ruqV2-0007Nb-6o; Thu, 11 Apr 2024 05:13:40 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruqUz-0007NP-RD for emacs-devel@gnu.org; Thu, 11 Apr 2024 05:13:37 -0400 Original-Received: from wfhigh6-smtp.messagingengine.com ([64.147.123.157]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ruqUw-0005u7-MP for emacs-devel@gnu.org; Thu, 11 Apr 2024 05:13:37 -0400 Original-Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfhigh.west.internal (Postfix) with ESMTP id 22B2B1800093; Thu, 11 Apr 2024 05:13:32 -0400 (EDT) Original-Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Thu, 11 Apr 2024 05:13:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spwhitton.name; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1712826811; x= 1712913211; bh=VDKnq8MjRVb7zLD443A4e44f+y7SURRffKzqtMhsqc0=; b=c G3gpshEqLfSgb78pU7qETTbGeXIs6nI1aF6xv80NztVjLc3uoDY30dJuVDYj/eay vXEfOdAtXn9C+Xl5uirJ0uwRK5BQrqUAD1ERy3Oi3TSUvXeDt+xojL+NkMjpnQpi E8GIQ1oSPAKZiN85pqFqtKhWN5hKp4T/rNxcxgXzfCR2ftXqYS3kP3LV6xRTG531 G657RJNd+A6h3ZMqVhHQf+FoomKjnzv2L+QWnG/c4jM1fxK7TIhWo246rhm0PHbl X90Pp139815jvh6sLKoRqOCcvktY8BlGkE4YL29/jupXmr0ukO3kgHrhw+3Kmrka f6RS8kEJX1mYRv+/FpXkQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1712826811; x=1712913211; bh=VDKnq8MjRVb7zLD443A4e44f+y7S URRffKzqtMhsqc0=; b=MsXW0fzbG6AwqAoMFYxnu9uQV61LX7HzUI69aIe24zDQ sjZXRwVtCNen09+OThP8wqjUaB1OTxV74lTONCETmcPjQyfnbLpbjkvktR8B8Y3g 439QgQclssqDrdqh8Pj9E4Mg0xldhTi93WiUaRX/MjXRGiH5etDW1xoiRmqFDb74 r803DwzeGf8oTnZugs8KRCmebCYaoVg5Jwk6iZnE6eH64ezRFHxU2CYU7AczHe56 894LBTVoekLCZ5RcoXeECcMEO2ffs4WhBfTu0SIv7T2BVamt6FG90mHkAs4EkkNo 8jLel04A2RYyhWeBW4Wkb7q/+JJOvEjzk+NEbH7lLg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudehkedgudefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufgjfhffkfgfgggtsehgtd dtredtredtnecuhfhrohhmpefuvggrnhcuhghhihhtthhonhcuoehsphifhhhithhtohhn sehsphifhhhithhtohhnrdhnrghmvgeqnecuggftrfgrthhtvghrnhepveefheelfffgtd evgfefuedthfdvgeehgeeihedutdejkedtffdtieeuieeujeelnecuffhomhgrihhnpehg nhhurdhorhhgpdhmihhtrhgvrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepshhpfihhihhtthhonhesshhpfihhihhtthhonhdrnhgr mhgv X-ME-Proxy: Feedback-ID: i23c04076:Fastmail Original-Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 11 Apr 2024 05:13:30 -0400 (EDT) Original-Received: by melete.silentflame.com (Postfix, from userid 1000) id EB04A7EA6EC; Thu, 11 Apr 2024 17:13:27 +0800 (CST) In-Reply-To: (Salvatore Bonaccorso's message of "Wed, 10 Apr 2024 16:17:15 +0200") Received-SPF: pass client-ip=64.147.123.157; envelope-from=spwhitton@spwhitton.name; helo=wfhigh6-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317678 gmane.comp.security.oss.general:30130 Archived-At: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote: > Note that the CVE assignment (by MITRE as assigning CNA) for > CVE-2024-30203 is explicitly as follows: > >> In Emacs before 29.3, Gnus treats inline MIME contents as trusted. > > associated with: > > https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=3Demacs-29&id=3D937= b9042ad7426acdcca33e3d931d8f495bdd804 This commit doesn't fix anything at all, just fyi. > If you think the CVE assignment is not valid, then you might ask for a > REJECT on https://cveform.mitre.org/ . Okay, I'll do that, thanks. =2D-=20 Sean Whitton --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmYXqbYZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQAlBEAC8DAT6MA2SN9FbTFWhtKZq im0N65ds0UX35A6kGFDH3DAb+DMGKwrp/cB393MppOpFDknZ0Wwv9CdCDuOsFGuY U4rcgDSPJBBDNkJf+UO0neo9wCNicQDWIx/8hYwqAg2U/cYjx49fnm5ITWfHTEUB ZPT4dk1RIOdmiz7fhxigCDP86f6KLDXijAn66w6BUYv7Mn7CzYg2FB1XeEKkXpJj IXSHi8mqnMxLaVB3igMws+G9yoIDdKuHay4gFFxp7uI1sgXbjtCYHRFV9ZHA5y25 +xoAzPjjxkqtF2PiwDKQLZhg4Ef3ACWb2ZMaB4kPmXzfMoNm4ZQ45kIEwzbL3VAs PLmx52WiUPisvwouOnGOVHzRCqvElhKvPOq6q6uCoqhDe1qhGh6K6kzimhz3PY0q xIfLqIWfdNJhH/o6krg+V3pMxqD/i0BUHlejrR9fyMjdDFK0MTLM5E7j1W8RewQb CFmIqU7SfdTrJmS7seysCs+Qex2AH/D0kxfDgWYqbDUAZT0YGUmsDH+ssIXa5dqj rEE7ksrz+4fviNZQKs6zbQACSJYxSMatYtwAuKQ0OnDjWGtAVUCkabMCapP/Thpu FFsXnLtQ12b1/MdwLeG2dEOTrSSWV3hxk8IPL+9sRd629JBP4MaYttMB9Fy8kF4V 7+4XPBdvZRX8hSBHBd2cqw== =/D6w -----END PGP SIGNATURE----- --=-=-=--