Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927820 (CVE-2024-30202, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205) - app-editors/emacs-{26.3-r16,27.2-r14,28.2-r10,29.2-r1}, <app-emacs/org-mode-9.6.23: possible security issues in org-mode and gnus
Summary: app-editors/emacs-{26.3-r16,27.2-r14,28.2-r10,29.2-r1}, <app-emacs/org-mode-9...
Status: RESOLVED FIXED
Alias: CVE-2024-30202, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://lists.gnu.org/archive/html/in...
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 927822 930795
Blocks:
  Show dependency tree
 
Reported: 2024-03-25 15:20 UTC by Ulrich Müller
Modified: 2024-07-01 06:11 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2024-03-25 15:20:24 UTC
From emacs-29.3/etc/NEWS:

   * Changes in Emacs 29.3
   Emacs 29.3 is an emergency bugfix release intended to fix several
   security vulnerabilities described below.

   ** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode.
   This is for security reasons, to avoid evaluating malicious Lisp code.

   ** New buffer-local variable 'untrusted-content'.
   When this is non-nil, Lisp programs should treat buffer contents with
   extra caution.

   ** Gnus now treats inline MIME contents as untrusted.
   To get back previous insecure behavior, 'untrusted-content' should be
   reset to nil in the buffer.

   ** LaTeX preview is now by default disabled for email attachments.
   To get back previous insecure behavior, set the variable
   'org--latex-preview-when-risky' to a non-nil value.

   ** Org mode now considers contents of remote files to be untrusted.
   Remote files are recognized by calling 'file-remote-p'.

The bugs have been fixed in versions:
   emacs-26.3-r17:26
   emacs-27.2-r15:27
   emacs-28.2-r11:28
   emacs-29.3:29

Slot 18 is not affected.
Comment 1 Ulrich Müller gentoo-dev 2024-03-25 15:43:36 UTC
<app-emacs/org-mode-9.6.23 is also affected.
Comment 2 Larry the Git Cow gentoo-dev 2024-03-25 18:52:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=776ccac5c84aa8942ddf6af1019aa0b36b132a1d

commit 776ccac5c84aa8942ddf6af1019aa0b36b132a1d
Author:     Maciej Barć <xgqt@gentoo.org>
AuthorDate: 2024-03-25 18:51:46 +0000
Commit:     Maciej Barć <xgqt@gentoo.org>
CommitDate: 2024-03-25 18:51:46 +0000

    app-emacs/org-mode: drop old 9.6.19
    
    Bug: https://bugs.gentoo.org/927820
    Signed-off-by: Maciej Barć <xgqt@gentoo.org>

 app-emacs/org-mode/Manifest               |  1 -
 app-emacs/org-mode/org-mode-9.6.19.ebuild | 50 -------------------------------
 2 files changed, 51 deletions(-)
Comment 3 Maciej Barć gentoo-dev 2024-03-25 18:55:20 UTC
All vulnerable version of app-emacs/org-mode gone for the tree.
Comment 4 Larry the Git Cow gentoo-dev 2024-06-04 18:53:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac4f684c29fc247b1edcc385ffa07cb4ecc4453f

commit ac4f684c29fc247b1edcc385ffa07cb4ecc4453f
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2024-06-04 18:51:22 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2024-06-04 18:52:20 +0000

    app-editors/emacs: drop 26.3-r16, 27.2-r14, 28.2-r10, 29.3-r1
    
    Bug: https://bugs.gentoo.org/927820
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 app-editors/emacs/Manifest              |   4 -
 app-editors/emacs/emacs-26.3-r16.ebuild | 379 -------------------
 app-editors/emacs/emacs-27.2-r14.ebuild | 445 -----------------------
 app-editors/emacs/emacs-28.2-r10.ebuild | 536 ---------------------------
 app-editors/emacs/emacs-29.3-r1.ebuild  | 627 --------------------------------
 5 files changed, 1991 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2024-07-01 06:10:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7c19ce25facd6aa54d2b0f9a8fecd6020509009e

commit 7c19ce25facd6aa54d2b0f9a8fecd6020509009e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-01 05:59:40 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-07-01 06:09:36 +0000

    [ GLSA 202407-08 ] GNU Emacs, Org Mode: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/897950
    Bug: https://bugs.gentoo.org/927820
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202407-08.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)