Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <26cd87ab-a547-4070-b20f-f7fd7ed1a04e@gmail.com>
Date: Mon, 8 Apr 2024 23:55:35 +0700
From: Max Nikulin <manikulin@...il.com>
To: Eli Zaretskii <eliz@....org>, Sean Whitton <spwhitton@...hitton.name>
Cc: yantar92@...teo.net, emacs@...kages.debian.org, emacs-devel@....org,
 oss-security@...ts.openwall.com
Subject: Re: Is CVE-2024-30203 bogus? (Emacs)

On 08/04/2024 18:38, Eli Zaretskii wrote:
>> From: Sean Whitton Date: Mon, 08 Apr 2024 15:05:21 +0800
>>
>> - CVE-2024-30203 is just bogus, based on a misunderstanding by the CVEs
>>    assigner of exactly what the vulnerabilities were
>>
>> - CVE-2024-30203 is legitimate, and we have only fixed one possible way
>>    in which Gnus treats inline MIME content as trusted.
>>
>> I think it's the first one -- can you confirm?
> 
> I'm not Ihor, but I cannot agree with you.  Those changes fixed two
> problems, not one: both the fact that by default MIME attachments are
> treated in a way that can execute arbitrary code, and the fact that
> maliciously-constructed LaTeX attachment could exhaust all free space
> on your disk.

Arbitrary code execution bug is neither CVE-2024-30203 nor 
CVE-2024-30204, it is

CVE-2024-30202 "In Emacs before 29.3, arbitrary Lisp code is evaluated 
as part of turning on Org mode. This affects Org Mode before 9.6.23."

and it is fixed by

- 
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb
- 
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9
2024-02-20 12:19:46 +0300 Ihor Radchenko: org-macro--set-templates: 
Prevent code evaluation

This commit fully covers both scenarios:
- inline preview for attachments in Gnus,
- a text file (not necessary having .org suffix) opened in Emacs directly.

I hope, rare users have Org mode or TeX engine configuration allowing 
execution of arbitrary shell commands during generation of LaTeX preview.

The commits mentioned by Sean suppress a kind of DoS (attempt to exhaust 
disk space or inodes allocated for /tmp) through LaTeX preview for email 
attachments. (There is no reasonable way to address the case when a 
malicious file is opened in Emacs.)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.