CVE-2022-48337 (https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c): GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. CVE-2022-48338 (https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c): An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. CVE-2022-48339 (https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c): An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. Looks like these commits are not in any tag.
(In reply to John Helmert III from comment #0) > Looks like these commits are not in any tag. As a matter of fact, all of them are, in emacs-28.3-rc1 (different sha1 because they've been cherry-picked): e339926272a Fix etags local command injection vulnerability 22fb5ff5126 Fix ruby-mode.el local command injection vulnerability (bug#60268) 807d2d5b3a7 Fix htmlfontify.el command injection vulnerability.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/emacs-patches.git/commit/?id=dfe3b5140502207cf64dc11b33c30da958822937 commit dfe3b5140502207cf64dc11b33c30da958822937 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2023-02-26 20:00:06 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2023-02-26 20:00:06 +0000 Fix multiple command injection vulnerabilities This fixes command injection vulnerabilities in etags (CVE-2022-48337), ruby-mode (CVE-2022-48338), and htmlfontify (CVE-2022-48339) for Emacs slots 25, 26, 27, and 28. Note that Emacs 25 and 26 are not affected by the ruby-mode vulnerability because function ruby-find-library-file did not yet exist (and there is no call to the gem command in ruby-mode.el). Emacs 18 is not affected by either of them: It doesn't have ruby-mode and htmlfontify, and we no longer install the ctags and etags binaries. Bug: https://bugs.gentoo.org/897950 Signed-off-by: Ulrich Müller <ulm@gentoo.org> emacs/25.3/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++ emacs/25.3/06_all_htmlfontify.patch | 22 ++++++++ emacs/26.3/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++ emacs/26.3/06_all_htmlfontify.patch | 22 ++++++++ emacs/27.2/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++ emacs/27.2/06_all_ruby-mode.patch | 22 ++++++++ emacs/27.2/07_all_htmlfontify.patch | 22 ++++++++ emacs/28.2/04_all_gnus-nnml.patch | 38 +++++++++++++ emacs/28.2/05_all_etags-metachar.patch | 99 ++++++++++++++++++++++++++++++++++ emacs/28.2/06_all_ruby-mode.patch | 22 ++++++++ emacs/28.2/07_all_htmlfontify.patch | 22 ++++++++ 11 files changed, 566 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db1716e1306ad0961eccb313a0bb33fca2c73f5a commit db1716e1306ad0961eccb313a0bb33fca2c73f5a Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2023-02-26 20:22:47 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2023-02-26 20:26:38 +0000 app-editors/emacs: Fix multiple command injection vulnerabilities This fixes command injection vulnerabilities in etags (CVE-2022-48337), ruby-mode (CVE-2022-48338), and htmlfontify (CVE-2022-48339) for Emacs slots 25, 26, 27, and 28. Note that Emacs 25 and 26 are not affected by the ruby-mode vulnerability because function ruby-find-library-file did not yet exist (and there is no call to the gem command in ruby-mode.el). Emacs 18 is not affected by either of them: It doesn't have ruby-mode and htmlfontify, and we no longer install the ctags and etags binaries. Bug: https://bugs.gentoo.org/897950 Signed-off-by: Ulrich Müller <ulm@gentoo.org> app-editors/emacs/Manifest | 6 +- app-editors/emacs/emacs-25.3-r16.ebuild | 355 +++++++++++++++++++++ ...emacs-26.3-r12.ebuild => emacs-26.3-r13.ebuild} | 2 +- ...emacs-27.2-r10.ebuild => emacs-27.2-r11.ebuild} | 2 +- .../{emacs-28.2-r5.ebuild => emacs-28.2-r6.ebuild} | 2 +- 5 files changed, 362 insertions(+), 5 deletions(-)
The stable candidates are: app-editors/emacs-25.3-r16 app-editors/emacs-26.3-r13 app-editors/emacs-27.2-r11 app-editors/emacs-28.2-r6
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7c19ce25facd6aa54d2b0f9a8fecd6020509009e commit 7c19ce25facd6aa54d2b0f9a8fecd6020509009e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-07-01 05:59:40 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-07-01 06:09:36 +0000 [ GLSA 202407-08 ] GNU Emacs, Org Mode: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/897950 Bug: https://bugs.gentoo.org/927820 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202407-08.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+)
