Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp411895lqg; Thu, 11 Apr 2024 06:54:27 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUFHwKWeu1YSmnlo78ZByo6XWRVELvPssnN6K6uurzsrzzIZLmyGEu1fLRrEf4lM+q26DV03qrtS1bQ/BGvyZQgzgqVF7MDCaJxK5dZiw== X-Google-Smtp-Source: AGHT+IEhVMb4ToY+YLDknFdtZ5T6Jls+sFaO1/vJYOotqOCA1QsDK1mq66ihttiTgmf95aPWHT7z X-Received: by 2002:a17:907:9450:b0:a52:1fe5:d1bb with SMTP id dl16-20020a170907945000b00a521fe5d1bbmr1840902ejc.11.1712843666827; Thu, 11 Apr 2024 06:54:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712843666; cv=none; d=google.com; s=arc-20160816; b=VvOxOBJt1CpuhEu9o5saKhRdb2dqLiN55sYhDjzV0g92tUR6uN9rGpa9aaCI/YPFu6 VpgXlQPBkY0HclAcpsAHMkGJwrHZbv2etHSh1BF+E75/fQs9afggwYLcnUTB8VpvdWeA jyqxTbZNq8IMlczTom+BSjAiuXg1OO9uKzO+lV2td/ewSBg8CY3zpJGqLklfiJCamsUB XWe9oGNVPNzNlrYQbE9I8xafgjisc4aNZ6HBjvcaRQn7nbXPT9mlorpyHnlnOmrzKZ5i zeZ5eEmLJUE/k0Mae3fKgAUZinmLK7vnKpt6pH5Ve7jDcOfocZUve5C31G1IB38ij/nT jctA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:user-agent:message-id:date:references :in-reply-to:cc:to:from:feedback-id:dkim-signature:dkim-signature :delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=VDKnq8MjRVb7zLD443A4e44f+y7SURRffKzqtMhsqc0=; fh=pOrP0TXKUgQrI2FW6HRXLt6o0kBtywC5yTtPT3k5cyQ=; b=hrm9c80ufiDR+6vtN/8+jjzg1j0C6Ctifp4rlA++PkvfzBlv1d2CbNp/9fmDow5oIP abQuli9vNaj/uX738Mek9gvoq1BHHZMj2AQsntIkmlbing9icre4tEXPqmieIhEruy3J twNpNqVg/M3gj6rZlONwfEqL9NTVgM2bmGM47wNAdEbpf9gmbqYOgMcfQxOlDsWaVNG1 L+k2vtMdQVrEtPcBAqY+K7nfdGU/5XjByKiCETSLLnGeWRk5bFChhpzh7Oslqg657ZAW 0aXBwvjCi96wvTYxTh8EXrGZmd97grkVBupflgKimVKVk9SkGbED3hf2JLXjgNYvch/Y Ai2Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@spwhitton.name header.s=fm1 header.b=cG3gpshE; dkim=fail header.i=@messagingengine.com header.s=fm2 header.b=MsXW0fzb; spf=pass (google.com: domain of oss-security-return-30001-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30001-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=spwhitton.name Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id k14-20020a170906054e00b00a4ea1be2096si759543eja.445.2024.04.11.06.54.26 for ; Thu, 11 Apr 2024 06:54:26 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30001-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@spwhitton.name header.s=fm1 header.b=cG3gpshE; dkim=fail header.i=@messagingengine.com header.s=fm2 header.b=MsXW0fzb; spf=pass (google.com: domain of oss-security-return-30001-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30001-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=spwhitton.name Received: (qmail 27982 invoked by uid 550); 11 Apr 2024 13:44:03 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 9898 invoked from network); 11 Apr 2024 09:13:42 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spwhitton.name; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1712826811; x= 1712913211; bh=VDKnq8MjRVb7zLD443A4e44f+y7SURRffKzqtMhsqc0=; b=c G3gpshEqLfSgb78pU7qETTbGeXIs6nI1aF6xv80NztVjLc3uoDY30dJuVDYj/eay vXEfOdAtXn9C+Xl5uirJ0uwRK5BQrqUAD1ERy3Oi3TSUvXeDt+xojL+NkMjpnQpi E8GIQ1oSPAKZiN85pqFqtKhWN5hKp4T/rNxcxgXzfCR2ftXqYS3kP3LV6xRTG531 G657RJNd+A6h3ZMqVhHQf+FoomKjnzv2L+QWnG/c4jM1fxK7TIhWo246rhm0PHbl X90Pp139815jvh6sLKoRqOCcvktY8BlGkE4YL29/jupXmr0ukO3kgHrhw+3Kmrka f6RS8kEJX1mYRv+/FpXkQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1712826811; x=1712913211; bh=VDKnq8MjRVb7zLD443A4e44f+y7S URRffKzqtMhsqc0=; b=MsXW0fzbG6AwqAoMFYxnu9uQV61LX7HzUI69aIe24zDQ sjZXRwVtCNen09+OThP8wqjUaB1OTxV74lTONCETmcPjQyfnbLpbjkvktR8B8Y3g 439QgQclssqDrdqh8Pj9E4Mg0xldhTi93WiUaRX/MjXRGiH5etDW1xoiRmqFDb74 r803DwzeGf8oTnZugs8KRCmebCYaoVg5Jwk6iZnE6eH64ezRFHxU2CYU7AczHe56 894LBTVoekLCZ5RcoXeECcMEO2ffs4WhBfTu0SIv7T2BVamt6FG90mHkAs4EkkNo 8jLel04A2RYyhWeBW4Wkb7q/+JJOvEjzk+NEbH7lLg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudehkedgudefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufgjfhffkfgfgggtsehgtd dtredtredtnecuhfhrohhmpefuvggrnhcuhghhihhtthhonhcuoehsphifhhhithhtohhn sehsphifhhhithhtohhnrdhnrghmvgeqnecuggftrfgrthhtvghrnhepveefheelfffgtd evgfefuedthfdvgeehgeeihedutdejkedtffdtieeuieeujeelnecuffhomhgrihhnpehg nhhurdhorhhgpdhmihhtrhgvrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepshhpfihhihhtthhonhesshhpfihhihhtthhonhdrnhgr mhgv X-ME-Proxy: Feedback-ID: i23c04076:Fastmail From: Sean Whitton To: Salvatore Bonaccorso Cc: oss-security@lists.openwall.com, emacs@packages.debian.org, emacs-devel@gnu.org In-Reply-To: (Salvatore Bonaccorso's message of "Wed, 10 Apr 2024 16:17:15 +0200") References: <874jccjpvy.fsf@melete.silentflame.com> <87y19nu22i.fsf@localhost> <87bk6he8h4.fsf_-_@melete.silentflame.com> <87o7ahe85l.fsf@localhost> Date: Thu, 11 Apr 2024 17:13:26 +0800 Message-ID: <87y19kcle1.fsf@melete.silentflame.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Subject: Re: [oss-security] Re: Is CVE-2024-30203 bogus? (Emacs) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello, On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote: > Note that the CVE assignment (by MITRE as assigning CNA) for > CVE-2024-30203 is explicitly as follows: > >> In Emacs before 29.3, Gnus treats inline MIME contents as trusted. > > associated with: > > https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=3Demacs-29&id=3D937= b9042ad7426acdcca33e3d931d8f495bdd804 This commit doesn't fix anything at all, just fyi. > If you think the CVE assignment is not valid, then you might ask for a > REJECT on https://cveform.mitre.org/ . Okay, I'll do that, thanks. =2D-=20 Sean Whitton --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmYXqbYZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQAlBEAC8DAT6MA2SN9FbTFWhtKZq im0N65ds0UX35A6kGFDH3DAb+DMGKwrp/cB393MppOpFDknZ0Wwv9CdCDuOsFGuY U4rcgDSPJBBDNkJf+UO0neo9wCNicQDWIx/8hYwqAg2U/cYjx49fnm5ITWfHTEUB ZPT4dk1RIOdmiz7fhxigCDP86f6KLDXijAn66w6BUYv7Mn7CzYg2FB1XeEKkXpJj IXSHi8mqnMxLaVB3igMws+G9yoIDdKuHay4gFFxp7uI1sgXbjtCYHRFV9ZHA5y25 +xoAzPjjxkqtF2PiwDKQLZhg4Ef3ACWb2ZMaB4kPmXzfMoNm4ZQ45kIEwzbL3VAs PLmx52WiUPisvwouOnGOVHzRCqvElhKvPOq6q6uCoqhDe1qhGh6K6kzimhz3PY0q xIfLqIWfdNJhH/o6krg+V3pMxqD/i0BUHlejrR9fyMjdDFK0MTLM5E7j1W8RewQb CFmIqU7SfdTrJmS7seysCs+Qex2AH/D0kxfDgWYqbDUAZT0YGUmsDH+ssIXa5dqj rEE7ksrz+4fviNZQKs6zbQACSJYxSMatYtwAuKQ0OnDjWGtAVUCkabMCapP/Thpu FFsXnLtQ12b1/MdwLeG2dEOTrSSWV3hxk8IPL+9sRd629JBP4MaYttMB9Fy8kF4V 7+4XPBdvZRX8hSBHBd2cqw== =/D6w -----END PGP SIGNATURE----- --=-=-=--