Bugzilla – Bug 1222053
VUL-0: CVE-2024-30203: emacs: Gnus treats inline MIME contents as trusted
Last modified: 2024-07-19 09:47:42 UTC
In Emacs before 29.3, Gnus treats inline MIME contents as trusted. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-30203 https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29 https://seclists.org/oss-sec/2024/q1/250 Patch: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
AS TW is fixed .. is this valid for SLE-15 or SLE-12 SLE-15-SP4/emacs-27.2> pkgtouch -p1 ../CVE-2024-30203.patch 1 out of 1 hunk FAILED -- saving rejects to file lisp/gnus/mm-view.el.rej OK only a one liner and could be ported back but the variable untrusted-content is not used in emacs 27.2 org tree SLE-15-SP4/emacs-27.2> grep untrusted-content ../../../emacs-29.3/lisp/ lisp/ -rs | grep -v Binary ../../../emacs-29.3/lisp/files.el:(defvar-local untrusted-content nil ../../../emacs-29.3/lisp/files.el:(put 'untrusted-content 'permanent-local t) ../../../emacs-29.3/lisp/gnus/mm-view.el: (setq untrusted-content t) ../../../emacs-29.3/lisp/org/org.el:(defvar untrusted-content) ; defined in files.el ../../../emacs-29.3/lisp/org/org.el:variable `untrusted-content' has a non-nil value in the buffer. ../../../emacs-29.3/lisp/org/org.el: ((and untrusted-content (not org--latex-preview-when-risky)) nil) lisp/gnus/mm-view.el.rej:+ (setq untrusted-content t)
(In reply to Dr. Werner Fink from comment #1) > AS TW is fixed .. is this valid for SLE-15 or SLE-12 > > SLE-15-SP4/emacs-27.2> pkgtouch -p1 ../CVE-2024-30203.patch > 1 out of 1 hunk FAILED -- saving rejects to file lisp/gnus/mm-view.el.rej > > > OK only a one liner and could be ported back but the variable > > untrusted-content > > is not used in emacs 27.2 org tree > > SLE-15-SP4/emacs-27.2> grep untrusted-content ../../../emacs-29.3/lisp/ > lisp/ -rs | grep -v Binary > ../../../emacs-29.3/lisp/files.el:(defvar-local untrusted-content nil > ../../../emacs-29.3/lisp/files.el:(put 'untrusted-content 'permanent-local t) > ../../../emacs-29.3/lisp/gnus/mm-view.el: (setq untrusted-content t) > ../../../emacs-29.3/lisp/org/org.el:(defvar untrusted-content) ; defined in > files.el > ../../../emacs-29.3/lisp/org/org.el:variable `untrusted-content' has a > non-nil value in the buffer. > ../../../emacs-29.3/lisp/org/org.el: ((and untrusted-content (not > org--latex-preview-when-risky)) nil) > lisp/gnus/mm-view.el.rej:+ (setq untrusted-content t) Yeah, untrusted-content variable is not present on older version of package. It was introduced via [0] and used only here [1] in function org-latex-preview (&optional arg). I don't find any other usage of it. Could you please double check? [0] https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=ccc188fcf98ad9166ee551fac9d94b2603c3a51b [1] https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c
Tracking as affected as marking content-unsafe are useful for resolution of https://bugzilla.suse.com/show_bug.cgi?id=1222052: - SUSE:ALP:Source:Standard:1.0/emacs 28.2 - SUSE:SLE-12:Update/emacs 24.3 - SUSE:SLE-15-SP4:Update/emacs 27.2 - SUSE:SLE-15:Update/emacs 25.3 Already fixed: - openSUSE:Factory/emacs
(In reply to Andrea Mattiazzo from comment #3) > (In reply to Dr. Werner Fink from comment #1) > > AS TW is fixed .. is this valid for SLE-15 or SLE-12 > > > > SLE-15-SP4/emacs-27.2> pkgtouch -p1 ../CVE-2024-30203.patch > > 1 out of 1 hunk FAILED -- saving rejects to file lisp/gnus/mm-view.el.rej > > > > > > OK only a one liner and could be ported back but the variable > > > > untrusted-content > > > > is not used in emacs 27.2 org tree > > > > SLE-15-SP4/emacs-27.2> grep untrusted-content ../../../emacs-29.3/lisp/ > > lisp/ -rs | grep -v Binary > > ../../../emacs-29.3/lisp/files.el:(defvar-local untrusted-content nil > > ../../../emacs-29.3/lisp/files.el:(put 'untrusted-content 'permanent-local t) > > ../../../emacs-29.3/lisp/gnus/mm-view.el: (setq untrusted-content t) > > ../../../emacs-29.3/lisp/org/org.el:(defvar untrusted-content) ; defined in > > files.el > > ../../../emacs-29.3/lisp/org/org.el:variable `untrusted-content' has a > > non-nil value in the buffer. > > ../../../emacs-29.3/lisp/org/org.el: ((and untrusted-content (not > > org--latex-preview-when-risky)) nil) > > lisp/gnus/mm-view.el.rej:+ (setq untrusted-content t) > > Yeah, untrusted-content variable is not present on older version of package. > It was introduced via [0] and used only here [1] in function > org-latex-preview (&optional arg). I don't find any other usage of it. Could > you please double check? The list function (org-latex-preview()) does not exit in org of 24.3 > Yeah, untrusted-content variable is not present on older version of package. > It was introduced via [0] and used only here [1] in function > org-latex-preview (&optional arg). I don't find any other usage of it. Could > you please double check? > > [0] > https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs- > 29&id=ccc188fcf98ad9166ee551fac9d94b2603c3a51b > [1] > https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs- > 29&id=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c Those patches apply only in the first hunks but fail on the missing (org-latex-preview())
Created attachment 874054 [details] CVE-2024-30203.patch for GNU Emacs 24.4 Don't know if this works as the last time I used GNUS is now more then 20 years back
SUSE-SU-2024:1294-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1222050, 1222052, 1222053 CVE References: CVE-2024-30203, CVE-2024-30204, CVE-2024-30205 Maintenance Incident: [SUSE:Maintenance:33222](https://smelt.suse.de/incident/33222/) Sources used: openSUSE Leap 15.4 (src): emacs-27.2-150400.3.11.1 openSUSE Leap 15.5 (src): emacs-27.2-150400.3.11.1 Basesystem Module 15-SP5 (src): emacs-27.2-150400.3.11.1 Desktop Applications Module 15-SP5 (src): emacs-27.2-150400.3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1317-1: An update that solves three vulnerabilities can now be installed. Category: security (low) Bug References: 1222050, 1222052, 1222053 CVE References: CVE-2024-30203, CVE-2024-30204, CVE-2024-30205 Maintenance Incident: [SUSE:Maintenance:33335](https://smelt.suse.de/incident/33335/) Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): emacs-24.3-25.17.1 SUSE Linux Enterprise Server 12 SP5 (src): emacs-24.3-25.17.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): emacs-24.3-25.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2297-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1222050, 1222052, 1222053, 1226957 CVE References: CVE-2024-30203, CVE-2024-30204, CVE-2024-30205, CVE-2024-39331 Maintenance Incident: [SUSE:Maintenance:33336](https://smelt.suse.de/incident/33336/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): emacs-25.3-150000.3.22.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): emacs-25.3-150000.3.22.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): emacs-25.3-150000.3.22.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): emacs-25.3-150000.3.22.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): emacs-25.3-150000.3.22.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): emacs-25.3-150000.3.22.1 SUSE Enterprise Storage 7.1 (src): emacs-25.3-150000.3.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Maintenance Automation from comment #14) > SUSE-SU-2024:2297-1: An update that solves four vulnerabilities can now be > installed. > > Category: security (important) > Bug References: 1222050, 1222052, 1222053, 1226957 > CVE References: CVE-2024-30203, CVE-2024-30204, CVE-2024-30205, > CVE-2024-39331 > Maintenance Incident: > [SUSE:Maintenance:33336](https://smelt.suse.de/incident/33336/) > Sources used: > SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): > emacs-25.3-150000.3.22.1 > SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): > emacs-25.3-150000.3.22.1 > SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): > emacs-25.3-150000.3.22.1 > SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): > emacs-25.3-150000.3.22.1 > SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): > emacs-25.3-150000.3.22.1 > SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): > emacs-25.3-150000.3.22.1 > SUSE Enterprise Storage 7.1 (src): > emacs-25.3-150000.3.22.1 > > NOTE: This line indicates an update has been released for the listed > product(s). At times this might be only a partial fix. If you have questions > please reach out to maintenance coordination.
All done, closing.