a75929bd-b6a4-11ed-bad6-080027f5fec9 | emacs -- multiple vulnerabilities
Xi Lu reports:
- CVE-2022-48337
-
GNU Emacs through 28.2 allows attackers to execute
commands via shell metacharacters in the name of a
source-code file, because lib-src/etags.c uses the
system C library function in its implementation of the
etags program. For example, a victim may use the
"etags -u *" command (suggested in the etags
documentation) in a situation where the current working
directory has contents that depend on untrusted input.
- CVE-2022-48338
-
An issue was discovered in GNU Emacs through 28.2. In
ruby-mode.el, the ruby-find-library-file function has a
local command injection vulnerability. The
ruby-find-library-file function is an interactive
function, and bound to C-c C-f. Inside the function, the
external command gem is called through
shell-command-to-string, but the feature-name parameters
are not escaped. Thus, malicious Ruby source files may
cause commands to be executed.
- CVE-2022-48339
-
An issue was discovered in GNU Emacs through
28.2. htmlfontify.el has a command injection
vulnerability. In the hfy-istext-command function, the
parameter file and parameter srcdir come from external
input, and parameters are not escaped. If a file name or
directory name contains shell metacharacters, code may
be executed.
Discovery 2022-12-06 Entry 2023-02-27 emacs
emacs-canna
emacs-nox
< 28.2_3,3
emacs-devel
emacs-devel-nox
< 30.0.50.20230101,3
CVE-2022-48337
CVE-2022-48338
CVE-2022-48339
https://www.debian.org/security/2023/dsa-5360
|
76e2fcce-92d2-11ed-a635-080027f5fec9 | emacs -- arbitary shell command execution vulnerability of ctags
lu4nx reports:
GNU Emacs through 28.2 allows attackers to execute
commands via shell metacharacters in the name of a
source-code file, because lib-src/etags.c uses the system
C library function in its implementation of the ctags
program. For example, a victim may use the "ctags *"
command (suggested in the ctags documentation) in a
situation where the current working directory has contents
that depend on untrusted input.
Discovery 2022-11-28 Entry 2023-01-12 emacs
emacs-canna
emacs-nox
< 28.2_2,3
emacs-devel
emacs-devel-nox
< 30.0.50.202211128,2
CVE-2022-45939
https://nvd.nist.gov/vuln/detail/CVE-2022-45939
|