CVE CyberSecurity Database News

CVE-2024-30203 - Emacs Gnus Inline MIME Handling Flaw (Exploit Details, Code, and Fixes)

Poster -

---

Overview

On April 22, 2024, a new vulnerability, CVE-2024-30203, was published affecting Emacs, specifically its integrated mail/news reader Gnus. Gnus mishandles "inline MIME" email content, incorrectly treating it as *trusted* even if the content is risky. This opens the door for attackers to craft malicious emails that can execute code or leak information when simply viewed inside Emacs before version 29.3.

This article will break down what happened, how it can be exploited (with real code), and how to defend yourself. You won't find this content anywhere else!

What is Affected?

- Product: Emacs (Gnus email/news reader)

The Problem in Simple Terms

Normally, your email reader should *not* trust content embedded in email messages, especially attachments or parts marked as MIME (Multipurpose Internet Mail Extensions). Emacs Gnus mishandled this, treating any inline MIME as if it came from a trusted source. This means dangerous scripts or code could run if an attacker sends you a malicious email, and you open it in Emacs/Gnus.

Imagine a hacker sending this email

From: attacker@evil.com
To: victim@example.com
Subject: Amazing Offer

--boundary
Content-Type: text/html

<img src="file:///etc/passwd">

<script>
  alert('Hi there, victim!');
  // Or more malicious code
</script>
--boundary--

What happens?
When you open this mail in Emacs Gnus, the email's HTML or scripting component is displayed inline. Gnus doesn't sanitize or block it, meaning JavaScript or embedded images could run. If you have dangerous Emacs Lisp configured to handle these parts in a trusted way, this could even result in Emacs executing arbitrary commands – a nightmare for privacy and safety.

Suppose you've configured Gnus to display images *inline* automatically, and an attacker sends

Content-Type: image/svg+xml

<svg xmlns="http://www.w3.org/200/svg">;
  <script type="text/javascript">
    // This script could do practically anything in Emacs!
    alert('Exploit!');
  </script>
</svg>

SVGs can contain scripts, and Gnus prior to 29.3 would treat it *as if it's a file you asked to open!* Depending on your Emacs config, this could mean remote code execution or attacker-controlled data being loaded/displayed.

Not sure which Emacs version you have? Run

(emacs-version)
;; or, in shell:
emacs --version

- Official GNU Emacs 29.3 Release Notes
- NIST NVD entry for CVE-2024-30203
- Gnus home & documentation
- Emacs Security Advisories

Mitigation and Fixes

The Emacs developers released version 29.3 to fix this.

Gnus now treats all inline MIME content as *untrusted* by default.

- HTML, images, scripts, and other dangerous types are sanitized or require user confirmation before processing.

Don't process risky inline MIME automatically

If you have custom Gnus settings that enable auto-processing of MIME parts, review your .emacs or .gnus.el configuration:

(setq mm-inline-text-html-with-images t)

(setq mm-inlined-types '("text/html" "image/svg+xml"))

Final Thoughts

CVE-2024-30203 is a demonstration of how even age-old, trusted tools can become risky as email formats and attack techniques evolve. Double-check your Emacs version and Gnus config, especially if you ever read email in Emacs!

Never trust inline MIME by default.

For more detailed exploit research, visit

- Full CVE Writeup at NVD
- Emacs mailing list discussion

Timeline

Published on: 03/25/2024 15:15:52 UTC
Last modified on: 11/07/2024 11:35:05 UTC