Bug 31767 - emacs new security issue CVE-2023-28617
Summary: emacs new security issue CVE-2023-28617
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-04-06 18:53 CEST by David Walser
Modified: 2023-04-24 02:21 CEST (History)
6 users (show)

See Also:
Source RPM: emacs-27.1-1.3.mga8.src.rpm
CVE: CVE-2023-28617
Status comment:


Description David Walser 2023-04-06 18:53:41 CEST
Ubuntu has issued an advisory today (April 6):

Mageia 8 is also affected.
David Walser 2023-04-06 18:53:53 CEST

Status comment: (none) => Patches available from Ubuntu
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-04-08 20:14:26 CEST
Assigning to ns80, as you did other recent CVE updates for emacs.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2023-04-11 10:15:09 CEST
Suggested advisory:

The updated packages fix a security vulnerability:

org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. (CVE-2023-28617)


Updated packages in core/updates_testing:

from SRPM:

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Source RPM: emacs-28.2-9.mga9.src.rpm => emacs-27.1-1.3.mga8.src.rpm
CC: (none) => nicolas.salguero
Status comment: Patches available from Ubuntu => (none)

Nicolas Salguero 2023-04-11 10:15:17 CEST

CVE: (none) => CVE-2023-28617

Comment 3 Herman Viaene 2023-04-13 14:45:56 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Opened a text file with emacs, but couldn't make any sense of its workings. I'll keep my feelings about it for myself.
Leaving to someone else who can judge whether it works as intended or not.

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2023-04-17 20:35:58 CEST
Mageia8, x86_64
An acquired taste maybe Herman.  It is a world in itself and uses Common Lisp at some level (which I do not know).  Have been using it for over 40 years in a fairly basic fashion.  For editing program code it continues to provide colour coding, (like many editors) if an extension is provided; .c, .py, .pl, .rb etc.  I use it with a .emacs file which contains shortcuts for several common operations like changing case, moving to a  line by number, exporting and importing text files, performing repeated substitutions, splitting windows, etc. which can be bound to unused keys.  That all seems to work as before so it can go out.  The .emacs file is based on one Horst Meyerdierks wrote many years ago.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-04-18 13:46:55 CEST
Always good to have a tester that's familiar with the application, Len. Thanks!

Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-23 23:52:21 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-04-24 02:21:53 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.