Those CVEs were announced here: https://www.openwall.com/lists/oss-security/2024/03/24/1 https://www.openwall.com/lists/oss-security/2024/03/25/2 The issues are fixed in version 29.3 or with: CVE-2024-30205: - https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877 - https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d CVE-2024-30204: - https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c CVE-2024-30203: - https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=937b9042ad7426acdcca33e3d931d8f495bdd804 CVE-2024-30202: - https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb - https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9 Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-30202, CVE-2024-30203, CVE-2024-30204, CVE-2024-30205Source RPM: (none) => emacs-28.2-10.mga9.src.rpm
Obviously go for the version update if possible. Unsure where to push this, so assigning it globally. @Nicolas: you are a conspicuous committer of emacs.
Status comment: (none) => fixed in version 29.3, or identified patches per CVEAssignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23. (CVE-2024-30202) In Emacs before 29.3, Gnus treats inline MIME contents as trusted. (CVE-2024-30203) In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments. (CVE-2024-30204) In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23. (CVE-2024-30205) References: https://www.openwall.com/lists/oss-security/2024/03/24/1 https://www.openwall.com/lists/oss-security/2024/03/25/2 ======================== Updated packages in core/updates_testing: ======================== emacs-28.2-10.1.mga9 emacs-common-28.2-10.1.mga9 emacs-doc-28.2-10.1.mga9 emacs-el-28.2-10.1.mga9 emacs-leim-28.2-10.1.mga9 emacs-nox-28.2-10.1.mga9 from SRPM: emacs-28.2-10.1.mga9.src.rpm
Version: Cauldron => 9Status: NEW => ASSIGNEDStatus comment: fixed in version 29.3, or identified patches per CVE => (none)Assignee: pkg-bugs => qa-bugsWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
CC: (none) => tarazed25
Len you know this better, can you test the packages please?
@katnatek in comment 3. Yes, I shall have a look at it. Thanks.
mga9, x64 Long time user of emacs but only as a lightly customised editor and I don't speak common Lisp. Out of my depth with the issues covered by the CVEs. Updated the packages via qarepo,drakrpm-update. My edit command translates to: emacs -u <user> -background white -foreground black $1 & and .emacs contains the customisations for specific keys on the keyboard. These cover cut and paste, search, saving sections to a file and retrieving text from a file, case conversion, tidying up paragraphs, repetitive commands, jump to line number, line deletion, ... All of these work with the newer version of emacs. emacs sometimes honours the shebang line at the start of program scripts and applies colour coding to various constructs in the text. bash scripts are recognised without the shebang line. Tried that with ruby, python, perl and bash but emacs has not yet caught up with rust or golang. emacs works fine at this basic level. Have never tried the nox version. About to have a go.
Yep, emacs-nox works fine in a console. Had a look at the in-session tutorial using Crtl-h t and tried out some key combinations. The arrow keys work as expected. Ctrl-c, Ctrl-x to exit the editor.
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0104.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED