|
Message-ID: <Zhafa3wcZONJX-_k@eldamar.lan> Date: Wed, 10 Apr 2024 16:17:15 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: Sean Whitton <spwhitton@...hitton.name>, emacs@...kages.debian.org, emacs-devel@....org Subject: Re: Re: Is CVE-2024-30203 bogus? (Emacs) Hi, On Wed, Apr 10, 2024 at 12:04:06PM +0000, Ihor Radchenko wrote: > Sean Whitton <spwhitton@...hitton.name> writes: > > > Hmm, thank you, but let me ask a follow-up question: do you agree with > > me that there is only one security flaw covered by these two CVEs, and > > CVE-2024-30203 is the superfluous one? > > Yes, CVE-2024-30203 title is superfluous. > And CVE-2024-30204 title is not accurate - it only applies to > certain attachments with specific (text/x-org) mime type. Note that the CVE assignment (by MITRE as assigning CNA) for CVE-2024-30203 is explicitly as follows: > In Emacs before 29.3, Gnus treats inline MIME contents as trusted. associated with: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804 If you think the CVE assignment is not valid, then you might ask for a REJECT on https://cveform.mitre.org/ . Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.