Hello,
On Wed 10 Apr 2024 at 10:07pm +07, Max Nikulin wrote:
> On 10/04/2024 21:17, Salvatore Bonaccorso wrote:
>> On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote:
>>>
>>> Yes, CVE-2024-30203 title is superfluous.
>>> And CVE-2024-30204 title is not accurate - it only applies to
>>> certain attachments with specific (text/x-org) mime type.
> [...]
>> If you think the CVE assignment is not valid, then you might ask for a
>> REJECT on https://cveform.mitre.org/ .
>
> Do 2 CVE numbers make sense to track fixes in Emacs and Org mode? Various
> versions of Org mode may be loaded to different versions of Emacs and both
> parties must have fixes to avoid the issue.
My understanding is that one CVE for the same vulnerability in multiple
code bases is normal.
--
Sean Whitton
Hello,
On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:
> Note that the CVE assignment (by MITRE as assigning CNA) for
> CVE-2024-30203 is explicitly as follows:
>
>> In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>
> associated with:
>
> https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
This commit doesn't fix anything at all, just fyi.
> If you think the CVE assignment is not valid, then you might ask for a
> REJECT on https://cveform.mitre.org/ .
Okay, I'll do that, thanks.
--
Sean Whitton
On 11/04/2024 16:13, Sean Whitton wrote:
> On Wed 10 Apr 2024 at 04:17pm +02, Salvatore Bonaccorso wrote:
>
>> Note that the CVE assignment (by MITRE as assigning CNA) for
>> CVE-2024-30203 is explicitly as follows:
>>
>>> In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
>>
>> https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
>
> This commit doesn't fix anything at all, just fyi.
This Emacs commit
2024-02-20 12:44:30 +0300 Ihor Radchenko:
* lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark contents
untrusted.)
is not enough to fix the issue. More changes are required to make the
fix effective, namely
ccc188fcf98 2024-02-20 12:43:51 +0300 Ihor Radchenko: * lisp/files.el
(untrusted-content): New variable.
6f9ea396f49 2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview:
Add protection when `untrusted-content' is non-nil
When external Org mode is loaded, that version should contain
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=03635a335
2024-02-20 12:47:24 +0300 Ihor Radchenko: org-latex-preview: Add
protection when `untrusted-content' is non-nil
besides Emacs commits ccc188fcf98 and 937b9042ad7
Emacs commit 6f9ea396f49 (fix of built-in Org mode) is currently
associated with CVE-2024-30203, however Org mode commit 03635a335
is not.