Debian Bug report logs -
#1032538
emacs: CVE-2023-27985 CVE-2023-27986
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#1032538; Package src:emacs.
(Wed, 08 Mar 2023 20:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Rob Browning <rlb@defaultvalue.org>.
(Wed, 08 Mar 2023 20:00:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: emacs
Version: 1:28.2+1-11
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi
No CVEs are yet assigned for the the following two issues:
| emacsclient-mail.desktop is vulnerable to shell command
| injections and Emacs Lisp injections through a crafted
| mailto: URI.
See: https://www.openwall.com/lists/oss-security/2023/03/08/2
Fixes:
http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=d32091199ae5de590a83f1542a01d75fba000467
http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc
Those do not affect older versions in bullseye. Making it RC for
bookworm and have a fix included before bookworm release.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>:
Bug#1032538; Package src:emacs.
(Thu, 09 Mar 2023 07:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(Thu, 09 Mar 2023 07:21:03 GMT) (full text, mbox, link).
Message #10 received at 1032538@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 emacs: CVE-2023-27985 CVE-2023-27986
On Wed, Mar 08, 2023 at 08:57:52PM +0100, Salvatore Bonaccorso wrote:
> Source: emacs
> Version: 1:28.2+1-11
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi
>
> No CVEs are yet assigned for the the following two issues:
>
> | emacsclient-mail.desktop is vulnerable to shell command
> | injections and Emacs Lisp injections through a crafted
> | mailto: URI.
>
> See: https://www.openwall.com/lists/oss-security/2023/03/08/2
CVEs were assigned for those two.
>
> Fixes:
>
> http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=d32091199ae5de590a83f1542a01d75fba000467
CVE-2023-27985
> http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc
CVE-2023-27986
Regards,
Salvatore
Changed Bug title to 'emacs: CVE-2023-27985 CVE-2023-27986' from 'emacs: Shell command and Emacs Lisp code injection in emacsclient-mail.desktop'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 1032538-submit@bugs.debian.org.
(Thu, 09 Mar 2023 07:21:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Mar 9 13:07:45 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon