Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 897950 (CVE-2022-48337, CVE-2022-48338, CVE-2022-48339)

Summary: <app-editors/emacs-{25.3-r16, 26.3-r13, 27.2-r11, 28.2-r6}: multiple command injection vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak, gnu-emacs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 898006    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 18:02:02 UTC 
CVE-2022-48337 (https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c):

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.

CVE-2022-48338 (https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c):

An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.

CVE-2022-48339 (https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c):

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

Looks like these commits are not in any tag.
Comment 1 Ulrich Müller gentoo-dev 2023-02-26 18:55:35 UTC 
(In reply to John Helmert III from comment #0)
> Looks like these commits are not in any tag.

As a matter of fact, all of them are, in emacs-28.3-rc1 (different sha1 because they've been cherry-picked):

e339926272a Fix etags local command injection vulnerability
22fb5ff5126 Fix ruby-mode.el local command injection vulnerability (bug#60268)
807d2d5b3a7 Fix htmlfontify.el command injection vulnerability.
Comment 2 Larry the Git Cow gentoo-dev 2023-02-26 20:24:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/emacs-patches.git/commit/?id=dfe3b5140502207cf64dc11b33c30da958822937

commit dfe3b5140502207cf64dc11b33c30da958822937
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2023-02-26 20:00:06 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2023-02-26 20:00:06 +0000

    Fix multiple command injection vulnerabilities
    
    This fixes command injection vulnerabilities in etags (CVE-2022-48337),
    ruby-mode (CVE-2022-48338), and htmlfontify (CVE-2022-48339) for Emacs
    slots 25, 26, 27, and 28.
    
    Note that Emacs 25 and 26 are not affected by the ruby-mode
    vulnerability because function ruby-find-library-file did not yet
    exist (and there is no call to the gem command in ruby-mode.el).
    
    Emacs 18 is not affected by either of them: It doesn't have ruby-mode
    and htmlfontify, and we no longer install the ctags and etags binaries.
    
    Bug: https://bugs.gentoo.org/897950
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 emacs/25.3/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++
 emacs/25.3/06_all_htmlfontify.patch    | 22 ++++++++
 emacs/26.3/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++
 emacs/26.3/06_all_htmlfontify.patch    | 22 ++++++++
 emacs/27.2/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++
 emacs/27.2/06_all_ruby-mode.patch      | 22 ++++++++
 emacs/27.2/07_all_htmlfontify.patch    | 22 ++++++++
 emacs/28.2/04_all_gnus-nnml.patch      | 38 +++++++++++++
 emacs/28.2/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++
 emacs/28.2/06_all_ruby-mode.patch      | 22 ++++++++
 emacs/28.2/07_all_htmlfontify.patch    | 22 ++++++++
 11 files changed, 566 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2023-02-26 20:26:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db1716e1306ad0961eccb313a0bb33fca2c73f5a

commit db1716e1306ad0961eccb313a0bb33fca2c73f5a
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2023-02-26 20:22:47 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2023-02-26 20:26:38 +0000

    app-editors/emacs: Fix multiple command injection vulnerabilities
    
    This fixes command injection vulnerabilities in etags (CVE-2022-48337),
    ruby-mode (CVE-2022-48338), and htmlfontify (CVE-2022-48339) for Emacs
    slots 25, 26, 27, and 28.
    
    Note that Emacs 25 and 26 are not affected by the ruby-mode
    vulnerability because function ruby-find-library-file did not yet
    exist (and there is no call to the gem command in ruby-mode.el).
    
    Emacs 18 is not affected by either of them: It doesn't have ruby-mode
    and htmlfontify, and we no longer install the ctags and etags binaries.
    
    Bug: https://bugs.gentoo.org/897950
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 app-editors/emacs/Manifest                         |   6 +-
 app-editors/emacs/emacs-25.3-r16.ebuild            | 355 +++++++++++++++++++++
 ...emacs-26.3-r12.ebuild => emacs-26.3-r13.ebuild} |   2 +-
 ...emacs-27.2-r10.ebuild => emacs-27.2-r11.ebuild} |   2 +-
 .../{emacs-28.2-r5.ebuild => emacs-28.2-r6.ebuild} |   2 +-
 5 files changed, 362 insertions(+), 5 deletions(-)
Comment 4 Ulrich Müller gentoo-dev 2023-02-26 20:30:08 UTC 
The stable candidates are:

app-editors/emacs-25.3-r16
app-editors/emacs-26.3-r13
app-editors/emacs-27.2-r11
app-editors/emacs-28.2-r6
Comment 5 Larry the Git Cow gentoo-dev 2024-07-01 06:10:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7c19ce25facd6aa54d2b0f9a8fecd6020509009e

commit 7c19ce25facd6aa54d2b0f9a8fecd6020509009e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-01 05:59:40 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-07-01 06:09:36 +0000

    [ GLSA 202407-08 ] GNU Emacs, Org Mode: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/897950
    Bug: https://bugs.gentoo.org/927820
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202407-08.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)