'Re: [oss-security] GNU emacs 29.3 released to fix security issues'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] GNU emacs 29.3 released to fix security issues
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2024-03-25 20:25:58
Message-ID: ZgHd1pOFki9l1zin () eldamar ! lan
[Download RAW message or body]

On Mon, Mar 25, 2024 at 11:12:56AM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sun, Mar 24, 2024 at 09:05:20AM -0700, Alan Coopersmith wrote:
> > https://lists.gnu.org/archive/html/info-gnu/2024-03/msg00005.html reports:
> >
> > > Version 29.3 of Emacs, the extensible text editor, should now
> > > be available from your nearest GNU mirror:
> > >
> > >    https://ftpmirror.gnu.org/emacs/emacs-29.3.tar.xz
> > >    https://ftpmirror.gnu.org/emacs/emacs-29.3.tar.gz[...]
> > > Emacs 29.3 is an emergency bugfix release; it includes no new features
> > > except a small number of changes intended to resolve security
> > > vulnerabilities uncovered in Emacs 29.2.  See the file etc/NEWS in the
> > > tarball; you can view it from Emacs by typing 'C-h n', or by clicking
> > > Help->Emacs News from the menu bar.
> > >
> > > You can also browse NEWS on-line using this URL:
> > >
> > >   https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29
> > >
> > > For the complete list of changes and the people who made them, see the
> > > various ChangeLog files in the source distribution.  For a summary of
> > > all the people who have contributed to Emacs, see the etc/AUTHORS
> > > file.
> > >
> > > For more information about Emacs, see:
> > >   https://www.gnu.org/software/emacs
> >
> > https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29
> > lists these changes:
> >
> > > * Changes in Emacs 29.3
> > > Emacs 29.3 is an emergency bugfix release intended to fix several
> > > security vulnerabilities described below.
> > >
> > > ** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode.
> > > This is for security reasons, to avoid evaluating malicious Lisp code.
> > >
> > > ** New buffer-local variable 'untrusted-content'.
> > > When this is non-nil, Lisp programs should treat buffer contents with
> > > extra caution.
> > >
> > > ** Gnus now treats inline MIME contents as untrusted.
> > > To get back previous insecure behavior, 'untrusted-content' should be
> > > reset to nil in the buffer.
> > >
> > > ** LaTeX preview is now by default disabled for email attachments.
> > > To get back previous insecure behavior, set the variable
> > > 'org--latex-preview-when-risky' to a non-nil value.
> > >
> > > ** Org mode now considers contents of remote files to be untrusted.
> > > Remote files are recognized by calling 'file-remote-p'.
> >
> > The detailed changelogs are at:
> > https://git.savannah.gnu.org/cgit/emacs.git/tree/ChangeLog.4?h=emacs-29
>
> Related to this there is as well an org-mode update:
>
> https://list.orgmode.org/87o7b3eczr.fsf@bzg.fr/T/#t
>
> quoting that post:
>
> > I just released Org mode 9.6.23 that fixes several critical
> > vulnerabilities. The release is coordinated with emergency Emacs 29.3
> > release
> > (https://lists.gnu.org/archive/html/info-gnu/2024-03/msg00005.html).
> >
> > Please upgrade your Org mode *and* Emacs ASAP.
> >
> > The vulnerabilities involve arbitrary Elisp and LaTeX evaluation when
> > previewing attachments in Emacs or when opening third-party Org files.
> >
> > The arbitrary Elisp evaluation is fixed by this release.
> >
> > The fix for LaTeX evaluation requires Emacs 29.3 and will not work for
> > the earlier Emacs versions. If upgrading Emacs is not viable, as a
> > workaround, you can set `org-preview-latex-default-process' to 'verbatim
> > - this will disable LaTeX previews and avoid the vulnerability.
>
> I believe CVE assignments are yet missing. RedHat folks, can you
> assign CVEs as needed for the individual emacs and org-mode issues?

CVEs are now assigned for the emacs and org-mode issues:

CVE-2024-30205:
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877
- https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d
CVE-2024-30204:
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c
CVE-2024-30203:
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
CVE-2024-30202:
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb
- https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic