From emacs-29.3/etc/NEWS: * Changes in Emacs 29.3 Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities described below. ** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code. ** New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution. ** Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer. ** LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value. ** Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'. The bugs have been fixed in versions: emacs-26.3-r17:26 emacs-27.2-r15:27 emacs-28.2-r11:28 emacs-29.3:29 Slot 18 is not affected.
<app-emacs/org-mode-9.6.23 is also affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=776ccac5c84aa8942ddf6af1019aa0b36b132a1d commit 776ccac5c84aa8942ddf6af1019aa0b36b132a1d Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2024-03-25 18:51:46 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2024-03-25 18:51:46 +0000 app-emacs/org-mode: drop old 9.6.19 Bug: https://bugs.gentoo.org/927820 Signed-off-by: Maciej Barć <xgqt@gentoo.org> app-emacs/org-mode/Manifest | 1 - app-emacs/org-mode/org-mode-9.6.19.ebuild | 50 ------------------------------- 2 files changed, 51 deletions(-)
All vulnerable version of app-emacs/org-mode gone for the tree.