Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927820 (CVE-2024-30202, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205) - app-editors/emacs-{26.3-r16,27.2-r14,28.2-r10,29.2-r1}, <app-emacs/org-mode-9.6.23: possible security issues in org-mode and gnus
Summary: app-editors/emacs-{26.3-r16,27.2-r14,28.2-r10,29.2-r1}, <app-emacs/org-mode-9...
Alias: CVE-2024-30202, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [stable]
Depends on: 930795 927822
  Show dependency tree
Reported: 2024-03-25 15:20 UTC by Ulrich Müller
Modified: 2024-04-27 18:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2024-03-25 15:20:24 UTC
From emacs-29.3/etc/NEWS:

   * Changes in Emacs 29.3
   Emacs 29.3 is an emergency bugfix release intended to fix several
   security vulnerabilities described below.

   ** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode.
   This is for security reasons, to avoid evaluating malicious Lisp code.

   ** New buffer-local variable 'untrusted-content'.
   When this is non-nil, Lisp programs should treat buffer contents with
   extra caution.

   ** Gnus now treats inline MIME contents as untrusted.
   To get back previous insecure behavior, 'untrusted-content' should be
   reset to nil in the buffer.

   ** LaTeX preview is now by default disabled for email attachments.
   To get back previous insecure behavior, set the variable
   'org--latex-preview-when-risky' to a non-nil value.

   ** Org mode now considers contents of remote files to be untrusted.
   Remote files are recognized by calling 'file-remote-p'.

The bugs have been fixed in versions:

Slot 18 is not affected.
Comment 1 Ulrich Müller gentoo-dev 2024-03-25 15:43:36 UTC
<app-emacs/org-mode-9.6.23 is also affected.
Comment 2 Larry the Git Cow gentoo-dev 2024-03-25 18:52:22 UTC
The bug has been referenced in the following commit(s):

commit 776ccac5c84aa8942ddf6af1019aa0b36b132a1d
Author:     Maciej Barć <>
AuthorDate: 2024-03-25 18:51:46 +0000
Commit:     Maciej Barć <>
CommitDate: 2024-03-25 18:51:46 +0000

    app-emacs/org-mode: drop old 9.6.19
    Signed-off-by: Maciej Barć <>

 app-emacs/org-mode/Manifest               |  1 -
 app-emacs/org-mode/org-mode-9.6.19.ebuild | 50 -------------------------------
 2 files changed, 51 deletions(-)
Comment 3 Maciej Barć gentoo-dev 2024-03-25 18:55:20 UTC
All vulnerable version of app-emacs/org-mode gone for the tree.