CVE-2022-45939 (https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51): GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. Doesn't seem like this has made it into a release. Not 100% about the severity being '3', but I don't think any higher is justified given how unlikely it is that someone would use an untrusted tags file.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceee7dc6e9839b255c1082193d5d672ef616536a commit ceee7dc6e9839b255c1082193d5d672ef616536a Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-11-30 11:57:33 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-11-30 11:57:33 +0000 profiles: Mask app-editors/emacs:23 and :24 for removal Bug: https://bugs.gentoo.org/882347 Bug: https://bugs.gentoo.org/882349 Bug: https://bugs.gentoo.org/883687 Signed-off-by: Ulrich Müller <ulm@gentoo.org> profiles/package.mask | 10 ++++++++++ 1 file changed, 10 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b5fa51a40a887b4b6dbc1fc770327d53a56967e commit 2b5fa51a40a887b4b6dbc1fc770327d53a56967e Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-11-30 11:30:55 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-11-30 11:30:55 +0000 app-editors/emacs: Fix ctags command execution vulnerability Bug: https://bugs.gentoo.org/883687 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 4 + app-editors/emacs/emacs-25.3-r13.ebuild | 355 ++++++++++++++++++++++ app-editors/emacs/emacs-26.3-r9.ebuild | 375 +++++++++++++++++++++++ app-editors/emacs/emacs-27.2-r7.ebuild | 438 +++++++++++++++++++++++++++ app-editors/emacs/emacs-28.2-r2.ebuild | 517 ++++++++++++++++++++++++++++++++ 5 files changed, 1689 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18ea2a525b01417e67a503c9a003dbfdf76246df commit 18ea2a525b01417e67a503c9a003dbfdf76246df Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-11-30 12:54:02 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-11-30 12:55:19 +0000 app-editors/emacs: Don't install ctags and etags in slot 18 Bug: https://bugs.gentoo.org/883687 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 1 + app-editors/emacs/emacs-18.59-r15.ebuild | 161 +++++++++++++++++++++++++++++++ 2 files changed, 162 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/emacs-patches.git/commit/?id=eefb630df4b0da5e6e432f53a5c5aa68bc16d28f commit eefb630df4b0da5e6e432f53a5c5aa68bc16d28f Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-11-30 10:55:14 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-11-30 11:17:58 +0000 Fix ctags command execution vulnerability Bug: https://bugs.gentoo.org/883687 Signed-off-by: Ulrich Müller <ulm@gentoo.org> emacs/25.3/04_all_etags.patch | 255 ++++++++++++++++++++++++++++++++++++++++++ emacs/26.3/03_all_etags.patch | 255 ++++++++++++++++++++++++++++++++++++++++++ emacs/27.2/03_all_etags.patch | 255 ++++++++++++++++++++++++++++++++++++++++++ emacs/28.2/02_all_etags.patch | 255 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 1020 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/emacs-patches.git/commit/?id=ddeeae41767ee66d2d18e9661bead416f7a4e2ef commit ddeeae41767ee66d2d18e9661bead416f7a4e2ef Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2022-11-30 12:45:24 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2022-11-30 12:45:24 +0000 18.59: Don't install ctags and etags Bug: https://bugs.gentoo.org/883687 Signed-off-by: Ulrich Müller <ulm@gentoo.org> emacs/18.59/19_all_no-ctags-etags.patch | 47 +++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
Should be all set. Candidates for stabilisation are: app-editors/emacs-18.59-r15 app-editors/emacs-25.3-r13 app-editors/emacs-26.3-r9 app-editors/emacs-27.2-r7 app-editors/emacs-28.2-r2
Thanks! Please stabilize when ready
(In reply to Ulrich Müller from comment #5) > Should be all set. Candidates for stabilisation are: > app-editors/emacs-18.59-r15 > app-editors/emacs-25.3-r13 > app-editors/emacs-26.3-r9 > app-editors/emacs-27.2-r7 > app-editors/emacs-28.2-r2 All stable and previous versions (in their respective slot) removed.
Thanks, don't forget to make security bugs depend on the stabilizations they depend on.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b7bdc3f6f2e7f011e6dfca2016bdfcea699c137 commit 8b7bdc3f6f2e7f011e6dfca2016bdfcea699c137 Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2022-12-31 18:23:40 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2022-12-31 18:31:03 +0000 app-editors/emacs: drop 23.4-r23, 24.5-r13 Closes: https://bugs.gentoo.org/882347 Closes: https://bugs.gentoo.org/882349 Bug: https://bugs.gentoo.org/883687 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> app-editors/emacs/Manifest | 4 - app-editors/emacs/emacs-23.4-r23.ebuild | 354 -------------------------------- app-editors/emacs/emacs-24.5-r13.ebuild | 346 ------------------------------- 3 files changed, 704 deletions(-)
Can this bug be closed? The problem is fixed since three months.
(In reply to Ulrich Müller from comment #10) > Can this bug be closed? The problem is fixed since three months. Assignee timeout. Closing.
(In reply to Ulrich Müller from comment #11) > (In reply to Ulrich Müller from comment #10) > > Can this bug be closed? The problem is fixed since three months. > > Assignee timeout. Closing. We don't do that.
(A GLSA vote must be taken, please just ping if you're waiting. Closing abruptly is disruptive to our workflow.)
(In reply to Sam James from comment #12) > > Assignee timeout. Closing. > > We don't do that. So, this got your attention. Good. :) I repeat my question from comment #10: > Can this bug be closed? The problem is fixed since three months.
ajak is still handling moving to his new home (+ job) and glsamaker currently has some bugs in it when handling slots. I think it's currently on me to review whatever GLSAs are queued in the list, I don't know if Emacs is on it and I can't check right now.
Ping.
GLSA vote: no Technically A3 qualifies, but the circumstances in which this will actually occur and the time passed since this was fixed make me vote no.
