[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is CVE-2024-30203 bogus? (Emacs)
|
From: |
Max Nikulin |
|
Subject: |
Re: Is CVE-2024-30203 bogus? (Emacs) |
|
Date: |
Thu, 11 Apr 2024 17:38:48 +0700 |
|
User-agent: |
Mozilla Thunderbird |
On 11/04/2024 16:13, Sean Whitton wrote:
On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:
Note that the CVE assignment (by MITRE as assigning CNA) for
CVE-2024-30203 is explicitly as follows:
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
This commit doesn't fix anything at all, just fyi.
This Emacs commit
2024-02-20 12:44:30 +0300 Ihor Radchenko:
* lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
untrusted.)
is not enough to fix the issue. More changes are required to make the
fix effective, namely
ccc188fcf98 2024-02-20 12:43:51 +0300 Ihor Radchenko: * lisp/files.el
(untrusted-content): New variable.
6f9ea396f49 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview:
Add protection when `untrusted-content' is non-nil
When external Org mode is loaded, that version should contain
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=03635a335
2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add
protection when `untrusted-content' is non-nil
besides Emacs commits ccc188fcf98 and 937b9042ad7
Emacs commit 6f9ea396f49 (fix of built-in Org mode) is currently
associated with CVE-2024-30203, however Org mode commit 03635a335
is not.