From emacs-29.3/etc/NEWS: * Changes in Emacs 29.3 Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities described below. ** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code. ** New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution. ** Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer. ** LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value. ** Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'. The bugs have been fixed in versions: emacs-26.3-r17:26 emacs-27.2-r15:27 emacs-28.2-r11:28 emacs-29.3:29 Slot 18 is not affected.
<app-emacs/org-mode-9.6.23 is also affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=776ccac5c84aa8942ddf6af1019aa0b36b132a1d commit 776ccac5c84aa8942ddf6af1019aa0b36b132a1d Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2024-03-25 18:51:46 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2024-03-25 18:51:46 +0000 app-emacs/org-mode: drop old 9.6.19 Bug: https://bugs.gentoo.org/927820 Signed-off-by: Maciej Barć <xgqt@gentoo.org> app-emacs/org-mode/Manifest | 1 - app-emacs/org-mode/org-mode-9.6.19.ebuild | 50 ------------------------------- 2 files changed, 51 deletions(-)
All vulnerable version of app-emacs/org-mode gone for the tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac4f684c29fc247b1edcc385ffa07cb4ecc4453f commit ac4f684c29fc247b1edcc385ffa07cb4ecc4453f Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2024-06-04 18:51:22 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2024-06-04 18:52:20 +0000 app-editors/emacs: drop 26.3-r16, 27.2-r14, 28.2-r10, 29.3-r1 Bug: https://bugs.gentoo.org/927820 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 4 - app-editors/emacs/emacs-26.3-r16.ebuild | 379 ------------------- app-editors/emacs/emacs-27.2-r14.ebuild | 445 ----------------------- app-editors/emacs/emacs-28.2-r10.ebuild | 536 --------------------------- app-editors/emacs/emacs-29.3-r1.ebuild | 627 -------------------------------- 5 files changed, 1991 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7c19ce25facd6aa54d2b0f9a8fecd6020509009e commit 7c19ce25facd6aa54d2b0f9a8fecd6020509009e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 05:59:40 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-07-01 06:09:36 +0000 [ GLSA 202407-08 ] GNU Emacs, Org Mode: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/897950 Bug: https://bugs.gentoo.org/927820 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202407-08.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+)
