Debian has issued an advisory on February 23: https://www.debian.org/security/2023/dsa-5360 Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and DebianWhiteboard: (none) => MGA8TOO
Assigning globally because many packagers have dealt with emacs; CC'ing ns80 who did the most recent CVE update.
CC: (none) => nicolas.salgueroAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. (CVE-2022-48337) An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. (CVE-2022-48338) An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. (CVE-2022-48339) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48337 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48338 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48339 https://www.debian.org/security/2023/dsa-5360 ======================== Updated packages in core/updates_testing: ======================== emacs-27.1-1.3.mga8 emacs-common-27.1-1.3.mga8 emacs-doc-27.1-1.3.mga8 emacs-el-27.1-1.3.mga8 emacs-leim-27.1-1.3.mga8 emacs-nox-27.1-1.3.mga8 from SRPM: emacs-27.1-1.3.mga8.src.rpm
Version: Cauldron => 8Status: NEW => ASSIGNEDStatus comment: Patches available from upstream and Debian => (none)Source RPM: emacs-28.2-6.mga9.src.rpm => emacs-27.1-1.2.mga8.src.rpmWhiteboard: MGA8TOO => (none)Assignee: pkg-bugs => qa-bugs
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 31211: as TJ I'vr never used emacs before, so used it to do some basic editing on a txt file and save it. Check with Pluma: all OK. So off with it!!!!
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Thought I should check this as I use emacs all the time, with customized keys. That all works fine. Edited a program script - colour coding in operation OK. Used a customized key to dump a section of code to an external file.
CC: (none) => tarazed25
Always good to have an experienced user check these things out. Validating. Advisory in comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0081.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED