Source: emacs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for emacs. CVE-2022-48339[0]: | An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has | a command injection vulnerability. In the hfy-istext-command function, | the parameter file and parameter srcdir come from external input, and | parameters are not escaped. If a file name or directory name contains | shell metacharacters, code may be executed. https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c CVE-2022-48338[1]: | An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, | the ruby-find-library-file function has a local command injection | vulnerability. The ruby-find-library-file function is an interactive | function, and bound to C-c C-f. Inside the function, the external | command gem is called through shell-command-to-string, but the | feature-name parameters are not escaped. Thus, malicious Ruby source | files may cause commands to be executed. https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c CVE-2022-48337[2]: | GNU Emacs through 28.2 allows attackers to execute commands via shell | metacharacters in the name of a source-code file, because lib- | src/etags.c uses the system C library function in its implementation | of the etags program. For example, a victim may use the "etags -u *" | command (suggested in the etags documentation) in a situation where | the current working directory has contents that depend on untrusted | input. https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-48339 https://www.cve.org/CVERecord?id=CVE-2022-48339 [1] https://security-tracker.debian.org/tracker/CVE-2022-48338 https://www.cve.org/CVERecord?id=CVE-2022-48338 [2] https://security-tracker.debian.org/tracker/CVE-2022-48337 https://www.cve.org/CVERecord?id=CVE-2022-48337 Please adjust the affected versions in the BTS as needed.