Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2023-1712

Related Vulnerabilities: CVE-2022-45939   CVE-2022-48337   CVE-2022-48339  

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. (CVE-2022-45939) GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. (CVE-2022-48337) An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. (CVE-2022-48339)

Source

ALAS-2023-1712

Amazon Linux AMI Security Advisory: ALAS-2023-1712
Advisory Release Date: 2023-03-30 22:50 Pacific
Advisory Updated Date: 2023-04-05 20:25 Pacific
Severity: Important
Issue Overview:

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. (CVE-2022-45939)

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. (CVE-2022-48337)

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. (CVE-2022-48339)


Affected Packages:

emacs


Issue Correction:
Run yum update emacs to update your system.

New Packages:
i686:
    emacs-24.3-20.25.amzn1.i686
    emacs-common-24.3-20.25.amzn1.i686
    emacs-debuginfo-24.3-20.25.amzn1.i686

noarch:
    emacs-el-24.3-20.25.amzn1.noarch

src:
    emacs-24.3-20.25.amzn1.src

x86_64:
    emacs-debuginfo-24.3-20.25.amzn1.x86_64
    emacs-24.3-20.25.amzn1.x86_64
    emacs-common-24.3-20.25.amzn1.x86_64

Additional References

Red Hat: CVE-2022-45939, CVE-2022-48337, CVE-2022-48339

Mitre: CVE-2022-45939, CVE-2022-48337, CVE-2022-48339

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started