Bug 900587 (CVE-2023-27985, CVE-2023-27986)

Summary:	<x11-misc/emacs-desktop-mail-1.2: Code injection vulnerabilities through crafted mailto URI
Product:	Gentoo Security	Reporter:	Ulrich Müller <ulm>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gnu-emacs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---

Description Ulrich Müller gentoo-dev

2023-03-09 15:00:35 UTC

CVE-2023-27985: emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification.

CVE-2023-27986: emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters.

The app-editors/emacs package never installed the desktop file in question, so they are _not_ affected.

The file is installed by x11-misc/emacs-desktop-mail, which has been fixed in version 1.2 (and previous versions have been removed):
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f29d9f2912573e696b9cb6019cb036246d7d21e

Comment 1 John Helmert III archtester

2023-03-11 04:43:22 UTC

All unstable, so already all done, thanks!