Bug 31767 - emacs new security issue CVE-2023-28617
Summary: emacs new security issue CVE-2023-28617
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-04-06 18:53 CEST by David Walser
Modified: 2023-04-24 02:21 CEST (History)
6 users (show)

See Also:
Source RPM: emacs-27.1-1.3.mga8.src.rpm
CVE: CVE-2023-28617
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-06 18:53:41 CEST 
Ubuntu has issued an advisory today (April 6):
https://ubuntu.com/security/notices/USN-6003-1

Mageia 8 is also affected.
David Walser 2023-04-06 18:53:53 CEST

Status comment: (none) => Patches available from Ubuntu
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-04-08 20:14:26 CEST 
Assigning to ns80, as you did other recent CVE updates for emacs.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2023-04-11 10:15:09 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. (CVE-2023-28617)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28617
https://ubuntu.com/security/notices/USN-6003-1
========================

Updated packages in core/updates_testing:
========================
emacs-27.1-1.4.mga8
emacs-common-27.1-1.4.mga8
emacs-doc-27.1-1.4.mga8
emacs-el-27.1-1.4.mga8
emacs-leim-27.1-1.4.mga8
emacs-nox-27.1-1.4.mga8

from SRPM:
emacs-27.1-1.4.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Source RPM: emacs-28.2-9.mga9.src.rpm => emacs-27.1-1.3.mga8.src.rpm
CC: (none) => nicolas.salguero
Status comment: Patches available from Ubuntu => (none)

Nicolas Salguero 2023-04-11 10:15:17 CEST

CVE: (none) => CVE-2023-28617

Comment 3 Herman Viaene 2023-04-13 14:45:56 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Opened a text file with emacs, but couldn't make any sense of its workings. I'll keep my feelings about it for myself.
Leaving to someone else who can judge whether it works as intended or not.

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2023-04-17 20:35:58 CEST 
Mageia8, x86_64
An acquired taste maybe Herman.  It is a world in itself and uses Common Lisp at some level (which I do not know).  Have been using it for over 40 years in a fairly basic fashion.  For editing program code it continues to provide colour coding, (like many editors) if an extension is provided; .c, .py, .pl, .rb etc.  I use it with a .emacs file which contains shortcuts for several common operations like changing case, moving to a  line by number, exporting and importing text files, performing repeated substitutions, splitting windows, etc. which can be bound to unused keys.  That all seems to work as before so it can go out.  The .emacs file is based on one Horst Meyerdierks wrote many years ago.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-04-18 13:46:55 CEST 
Always good to have a tester that's familiar with the application, Len. Thanks!

Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-04-23 23:52:21 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-04-24 02:21:53 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0152.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.