33019 – emacs new security issues CVE-2024-3020[2-5]

Bug 33019 - emacs new security issues CVE-2024-3020[2-5]

Summary: emacs new security issues CVE-2024-3020[2-5]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-03-26 14:43 CET by Nicolas Salguero
Modified:	2024-03-31 05:29 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	emacs-28.2-10.mga9.src.rpm
CVE:	CVE-2024-30202, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-26 14:43:14 CET

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/03/24/1
https://www.openwall.com/lists/oss-security/2024/03/25/2

The issues are fixed in version 29.3 or with:
CVE-2024-30205:
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877
- https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d
CVE-2024-30204:
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c
CVE-2024-30203:
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804
CVE-2024-30202:
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb
- https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9

Mageia 9 is also affected.

Nicolas Salguero 2024-03-26 14:43:36 CET

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-30202, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205
Source RPM: (none) => emacs-28.2-10.mga9.src.rpm

Comment 1 Lewis Smith 2024-03-26 21:11:58 CET

Obviously go for the version update if possible.

Unsure where to push this, so assigning it globally.
@Nicolas: you are a conspicuous committer of emacs.

Status comment: (none) => fixed in version 29.3, or identified patches per CVE
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-03-29 09:02:58 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23. (CVE-2024-30202)

In Emacs before 29.3, Gnus treats inline MIME contents as trusted. (CVE-2024-30203)

In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments. (CVE-2024-30204)

In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23. (CVE-2024-30205)

References:
https://www.openwall.com/lists/oss-security/2024/03/24/1
https://www.openwall.com/lists/oss-security/2024/03/25/2
========================

Updated packages in core/updates_testing:
========================
emacs-28.2-10.1.mga9
emacs-common-28.2-10.1.mga9
emacs-doc-28.2-10.1.mga9
emacs-el-28.2-10.1.mga9
emacs-leim-28.2-10.1.mga9
emacs-nox-28.2-10.1.mga9

from SRPM:
emacs-28.2-10.1.mga9.src.rpm

Version: Cauldron => 9
Status: NEW => ASSIGNED
Status comment: fixed in version 29.3, or identified patches per CVE => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)

katnatek 2024-03-29 20:47:38 CET

Keywords: (none) => advisory

katnatek 2024-03-29 21:27:56 CET

CC: (none) => tarazed25

Comment 3 katnatek 2024-03-29 21:28:35 CET

Len you know this better, can you test the packages please?

Comment 4 Len Lawrence 2024-03-30 09:41:34 CET

@katnatek in comment 3.
Yes, I shall have a look at it.  Thanks.

Comment 5 Len Lawrence 2024-03-30 11:39:55 CET

mga9, x64
Long time user of emacs but only as a lightly customised editor and I don't speak common Lisp.  Out of my depth with the issues covered by the CVEs.

Updated the packages via qarepo,drakrpm-update.
My edit command translates to:
emacs -u <user> -background white -foreground black $1 &
and .emacs contains the customisations for specific keys on the keyboard.
These cover cut and paste, search, saving sections to a file and retrieving text from a file, case conversion, tidying up paragraphs, repetitive commands, jump to line number, line deletion, ...
All of these work with the newer version of emacs.

emacs sometimes honours the shebang line at the start of program scripts and applies colour coding to various constructs in the text.  bash scripts are recognised without the shebang line.
Tried that with ruby, python, perl and bash but emacs has not yet caught up with rust or golang.

emacs works fine at this basic level.  Have never tried the nox version.
About to have a go.

Comment 6 Len Lawrence 2024-03-30 15:56:43 CET

Yep, emacs-nox works fine in a console.
Had a look at the in-session tutorial using Crtl-h t and tried out some key combinations.  The arrow keys work as expected.  Ctrl-c, Ctrl-x to exit the editor.

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-03-30 17:31:01 CET

CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2024-03-30 19:06:45 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2024-03-31 05:29:25 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0104.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.