openSUSE has issued an advisory on December 18: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/P4KYDPPUCZHJVNAEXLQAF43YKVZPVWFH/ Fix: https://build.opensuse.org/projects/editors/packages/emacs/files/emacs-CVE-2024-53920.patch?expand=1
Whiteboard: (none) => MGA9TOOSource RPM: (none) => emacs-29.4-5.mga10.src.rpm, emacs-29.4-1.1.mga9.src.rpmStatus comment: (none) => Patch available from openSUSECVE: (none) => CVE-2024-53920
Suggested advisory: ======================== The updated packages fix a security vulnerability: In elisp-mode.el in GNU Emacs through 30.0.92, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code). (CVE-2024-53920) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/P4KYDPPUCZHJVNAEXLQAF43YKVZPVWFH/ ======================== Updated packages in core/updates_testing: ======================== emacs-29.4-1.2.mga9 emacs-common-29.4-1.2.mga9 emacs-doc-29.4-1.2.mga9 emacs-el-29.4-1.2.mga9 emacs-leim-29.4-1.2.mga9 emacs-nox-29.4-1.2.mga9 emacs-pgtk-29.4-1.2.mga9 from SRPM: emacs-29.4-1.2.mga9.src.rpm
Source RPM: emacs-29.4-5.mga10.src.rpm, emacs-29.4-1.1.mga9.src.rpm => emacs-29.4-1.1.mga9.src.rpmAssignee: bugsquad => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Status comment: Patch available from openSUSE => (none)Version: Cauldron => 9
Keywords: (none) => advisory
RH x86_64 Confirm the vulnerability installing emacs-common-29.4-1.2.mga9.x86_64.rpm emacs-29.4-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: emacs-common ################################################################################################## 2/2: emacs ################################################################################################## 1/2: removing emacs-29.4-1.1.mga9.x86_64 ################################################################################################## 2/2: removing emacs-common-29.4-1.1.mga9.x86_64 ################################################################################################## The test for the vulnerability show is now fixed OK for me
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Never used this, so opened it, read some of the tutorial, refused to learn all the keyinputs (makes me think of DOS programs long gone). Just able to add a line to a txt file, save, reopen, check the change, delete it and save again to its original text. If katnatek is happy with, that, bless him. I'm running away as far as I can. Basically it works, so affirm the OK above.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Thank you, Herman. I tried this for an MGA8 update a while back, did about what you did, and also refused to learn all the keyinputs, as well - it's just not something I'm going to use much. I was going to look at it again in VirtualBox for this bug, but you saved me from all that. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0397.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED