Emacs 29.3 and CVE-2024-30205

A new release of Emacs, 29.3, came out Monday. Windows binaries are available as of yesterday evening. This release responds to CVE-2024-30205, which seems rather serious; Emacs users should update if possible.

There tends to be an air of mystery when it comes to security related software defects.

Sharing information about recently discovered/fixed vulnerabilities is a balancing act for development teams who want, simultaneously, to inform users but also guard against coaching would-be attackers in crafting exploitation recipes while users are still becoming aware of the problem. In an effort to do my part acting responsibly in this regard, I'm withholding (initially) some of what (I think) I know. I'll update this post over the coming weeks to add detail about the problems and fixes, and links to other posts on this topic that I find. I'll also incorporate corrections, suggestions, and new information I receive (TIA).

For the moment, please be aware of this issue. If you can, look into it. If you can't do that right now, upgrade to Emacs 29.3 (or build a new Emacs 30.0.50) right away (and check back for more details, if interested).

Many thanks to the users of libera.chat#emacs for research and discussion, especially to `xristos' for working on this set of configuration based mitigations for users who may be unable to update Emacs right away:

https://xristos.sdf.org/fix-gnus-mime.el.txt

Particular thanks to Max Nikulin who -if I'm not mistaken- initially reported this issue on Feb 14th, and to Igor and Eli for the prompt remediation and release for/of Emacs 29.3. I also appreciated the information on reporting serious security issues with Emacs which Stefan K recently added to the BUGS file (which file you can find in the root folder of the git cloned Emacs source tree).