Bug 31593 - emacs new security issues CVE-2023-4833[7-9]
Summary: emacs new security issues CVE-2023-4833[7-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-02-24 20:06 CET by David Walser
Modified: 2023-03-01 22:16 CET (History)
6 users (show)

See Also:
Source RPM: emacs-27.1-1.2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-02-24 20:06:12 CET
Debian has issued an advisory on February 23:
https://www.debian.org/security/2023/dsa-5360

Mageia 8 is also affected.
David Walser 2023-02-24 20:06:28 CET

Status comment: (none) => Patches available from upstream and Debian
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-02-26 19:55:40 CET
Assigning globally because many packagers have dealt with emacs; CC'ing ns80 who did the most recent CVE update.

CC: (none) => nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-02-27 13:05:49 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. (CVE-2022-48337)

An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. (CVE-2022-48338)

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. (CVE-2022-48339)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48337
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48338
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48339
https://www.debian.org/security/2023/dsa-5360
========================

Updated packages in core/updates_testing:
========================
emacs-27.1-1.3.mga8
emacs-common-27.1-1.3.mga8
emacs-doc-27.1-1.3.mga8
emacs-el-27.1-1.3.mga8
emacs-leim-27.1-1.3.mga8
emacs-nox-27.1-1.3.mga8

from SRPM:
emacs-27.1-1.3.mga8.src.rpm

Version: Cauldron => 8
Status: NEW => ASSIGNED
Status comment: Patches available from upstream and Debian => (none)
Source RPM: emacs-28.2-6.mga9.src.rpm => emacs-27.1-1.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2023-02-27 17:25:03 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 31211: as TJ I'vr never used emacs before, so used it to do some basic editing on a txt file and save it. Check with Pluma: all OK.
So off with it!!!!

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Len Lawrence 2023-02-27 18:07:13 CET
Thought I should check this as I use emacs all the time, with customized keys.  That all works fine.  Edited a program script - colour coding in operation OK.  Used a customized key to dump a section of code to an external file.

CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-03-01 17:32:34 CET
Always good to have an experienced user check these things out.

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-01 18:07:56 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-03-01 22:16:11 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0081.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.