Headline
Debian Security Advisory 5314-1
Debian Linux Security Advisory 5314-1 - It was discovered that missing input sanitising in the ctags functionality of Emacs may result in the execution of arbitrary shell commands.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Debian Security Advisory DSA-5314-1 [email protected]
https://www.debian.org/security/ Moritz Muehlenhoff
January 11, 2023 https://www.debian.org/security/faq
Package : emacs
CVE ID : CVE-2022-45939
Debian Bug : 1025009
It was discovered that missing input sanitising in the ctags functionality
of Emacs may result in the execution of arbitrary shell commands.
For the stable distribution (bullseye), this problem has been fixed in
version 1:27.1+1-3.1+deb11u1.
We recommend that you upgrade your emacs packages.
For the detailed security status of emacs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/emacs
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmO/Bk8ACgkQEMKTtsN8
TjYecBAAsKhcrCNNMAymVbFW1PhpPWkp6KVpYbbj/vGnfeJCTTUnilZqirvHMXnI
of4dhj9qCsmzB3tSFzEXuo/ek475XY3qig2t6vJJzlARiDHaBuU7R0z39LifcaNE
EO8ByAnMilxZjqOv7qgobG0wUmXzWlJT8SuGK5OXbnPH27++7W26YW1ccsSSjn0l
m3aKlWiMsKABmaj7NfqY+dauDI/t+MOg85bXDNrjJsO8SLfCcWZiDtb0qbvHarNk
1T+yMPPFARSvM4KIvrUx0ENxjUuvugUtJqjcK9Prp27WB3kn8y387H+Y5SOFQSOy
cSqrlWcO9ZUfjuDmyKP3kEkg8wDrKI2E4F1oTZpu+Xz44ysueE6nK62b/G+FY4vO
pVqrWAE1bILyuGyhM/U4/PkpwGyC5je3cIFnyjigtUH3citcpyW8r8uvBqn20ARc
12hsMD8PgQNt7xOm69+Ksf0oRyPJzMPjqQfjwWOwbnviPLBeq0CwxQZPECumzj87
nkOAWjAvPqrCtHdO945XIsbyk1sM+TLIe+gGFPxYniVfyp8TXWz/DcyepciZ+aqB
N3aoL4CB65JpHtq9SovdbFPRoG1hrvzfqWmiaYw9+/FO1nCe6PcC5lK1f6yr/E0T
I0iy4CwqoCtuPk+jHG9xXjxqt2Ylo514R8CvHdHri+HhSLj8QaA=
=gd6B
-----END PGP SIGNATURE-----
Related news
Ubuntu Security Notice 7027-1 - It was discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Xi Lu discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
An update for emacs is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45939: A flaw was found in Etags, the Ctags implementation of Emacs. A file with a crafted filename may result in arbitrary command execution when processed by Etags.
Red Hat Security Advisory 2023-2366-01 - GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language, and the capability to read e-mail and news.
An update for emacs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45939: A flaw was found in Etags, the Ctags implementation of Emacs. A file with a crafted filename may result in arbitrary command execution when processed by Etags.
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.