Bug 34045 - emacs new security issue CVE-2025-1244
Summary: emacs new security issue CVE-2025-1244
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-02-24 16:50 CET by Nicolas Salguero
Modified: 2025-02-25 17:59 CET (History)
4 users (show)

See Also:
Source RPM: emacs-29.4-6.mga10.src.rpm, emacs-29.4-1.2.mga9.src.rpm
CVE: CVE-2025-1244
Status comment: Fixed upstream in 30.1 and patch available from upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-02-24 16:50:11 CET 
Emacs 30.1, which fixes CVE-2025-1244, was announced here:
https://lwn.net/Articles/1011611/
Comment 1 Nicolas Salguero 2025-02-24 16:50:57 CET 
Fix: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=820f0793f0b46448928905552726c1f1b999062f

CVE: (none) => CVE-2025-1244
Status comment: (none) => Fixed upstream in 30.1 and patch available from upstream
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => emacs-29.4-6.mga10.src.rpm, emacs-29.4-1.2.mga9.src.rpm

Comment 2 David GEIGER 2025-02-25 06:25:24 CET 
Fixed for Cauldron!

CC: (none) => geiger.david68210
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 3 David GEIGER 2025-02-25 07:02:11 CET 
Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
emacs-29.4-1.3.mga9
emacs-common-29.4-1.3.mga9
emacs-doc-29.4-1.3.mga9.noarch.rpm
emacs-el-29.4-1.3.mga9.noarch.rpm
emacs-leim-29.4-1.3.mga9.noarch.rpm
emacs-nox-29.4-1.3.mga9
emacs-pgtk-29.4-1.3.mga9

From SRPMS:
emacs-29.4-1.3.mga9.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Len Lawrence 2025-02-25 10:32:22 CET 
Taking this one.  In process of gathering information for the advisory.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2025-02-25 11:07:22 CET 
mga9, x64
Habitual user of emacs.  Update OK.  No way found to test the vulnerability.
Local edit command used to launch it.
$ cat ~/bin/edit
#!/bin/bash
emacs -Q -u lcl -background white -foreground black $1 &

That works fine using the local .emacs file which defines shortcuts on the keyboard.  Those work fine.
Loaded a 10,000 line text file and exercised various functions like cut&paste internally and into another open file.  Forward search worked fine and command repeat.  Repeated substitutions work also.  Dumped section of file to an external file and imported the contents of an external file into the text then saved everything on exit.  Intermediate copies of the current text can also be saved in a named file.

Looks good.

Whiteboard: (none) => MGA9-64-OK

Comment 6 Len Lawrence 2025-02-25 11:19:53 CET 
Addendum to comment #5:

Information with hyperlinks and web links can be displayed by using Ctrl-h Ctrl-a.  'q' to return to editing.
Comment 7 Thomas Andrews 2025-02-25 15:58:09 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Len Lawrence 2025-02-25 16:39:01 CET

Keywords: (none) => advisory

Comment 8 Mageia Robot 2025-02-25 17:59:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0075.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.