[SECURITY] [DLA 3257-1] emacs security update

2022-12-3120:00:00

lists.debian.org

debian lts

emacs

arbitrary command execution

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.4%

JSON

Debian LTS Advisory DLA-3257-1 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
December 31, 2022 https://wiki.debian.org/LTS

Package : emacs
Version : 1:26.1+1-3.2+deb10u3
CVE ID : CVE-2022-45939
Debian Bug : 1025009

It was discovered that there was an issue in Emacs where where
attackers could have executed arbitrary commands via shell
metacharacters in the name of a source-code file.

This was because lib-src/etags.c used the system(3) library function
when calling the (external) ctags(1) binary.

For Debian 10 buster, this problem has been fixed in version
1:26.1+1-3.2+deb10u3.

We recommend that you upgrade your emacs packages.

For the detailed security status of emacs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/emacs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian11i386emacs-gtk-dbgsym< 1:27.1+1-3.1+deb11u1emacs-gtk-dbgsym_1:27.1+1-3.1+deb11u1_i386.deb
Debian10allemacs25-lucid< 1:26.1+1-3.2+deb10u3emacs25-lucid_1:26.1+1-3.2+deb10u3_all.deb
Debian11armhfemacs-bin-common< 1:27.1+1-3.1+deb11u1emacs-bin-common_1:27.1+1-3.1+deb11u1_armhf.deb
Debian11amd64emacs-bin-common< 1:27.1+1-3.1+deb11u1emacs-bin-common_1:27.1+1-3.1+deb11u1_amd64.deb
Debian11mipselemacs-gtk< 1:27.1+1-3.1+deb11u1emacs-gtk_1:27.1+1-3.1+deb11u1_mipsel.deb
Debian11armhfemacs-gtk-dbgsym< 1:27.1+1-3.1+deb11u1emacs-gtk-dbgsym_1:27.1+1-3.1+deb11u1_armhf.deb
Debian11amd64emacs-bin-common-dbgsym< 1:27.1+1-3.1+deb11u1emacs-bin-common-dbgsym_1:27.1+1-3.1+deb11u1_amd64.deb
Debian10i386emacs-gtk< 1:26.1+1-3.2+deb10u3emacs-gtk_1:26.1+1-3.2+deb10u3_i386.deb
Debian11ppc64elemacs-gtk< 1:27.1+1-3.1+deb11u1emacs-gtk_1:27.1+1-3.1+deb11u1_ppc64el.deb
Debian10allemacs21< 1:26.1+1-3.2+deb10u3emacs21_1:26.1+1-3.2+deb10u3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	i386	emacs-gtk-dbgsym	< 1:27.1+1-3.1+deb11u1	emacs-gtk-dbgsym_1:27.1+1-3.1+deb11u1_i386.deb
Debian	10	all	emacs25-lucid	< 1:26.1+1-3.2+deb10u3	emacs25-lucid_1:26.1+1-3.2+deb10u3_all.deb
Debian	11	armhf	emacs-bin-common	< 1:27.1+1-3.1+deb11u1	emacs-bin-common_1:27.1+1-3.1+deb11u1_armhf.deb
Debian	11	amd64	emacs-bin-common	< 1:27.1+1-3.1+deb11u1	emacs-bin-common_1:27.1+1-3.1+deb11u1_amd64.deb
Debian	11	mipsel	emacs-gtk	< 1:27.1+1-3.1+deb11u1	emacs-gtk_1:27.1+1-3.1+deb11u1_mipsel.deb
Debian	11	armhf	emacs-gtk-dbgsym	< 1:27.1+1-3.1+deb11u1	emacs-gtk-dbgsym_1:27.1+1-3.1+deb11u1_armhf.deb
Debian	11	amd64	emacs-bin-common-dbgsym	< 1:27.1+1-3.1+deb11u1	emacs-bin-common-dbgsym_1:27.1+1-3.1+deb11u1_amd64.deb
Debian	10	i386	emacs-gtk	< 1:26.1+1-3.2+deb10u3	emacs-gtk_1:26.1+1-3.2+deb10u3_i386.deb
Debian	11	ppc64el	emacs-gtk	< 1:27.1+1-3.1+deb11u1	emacs-gtk_1:27.1+1-3.1+deb11u1_ppc64el.deb
Debian	10	all	emacs21	< 1:26.1+1-3.2+deb10u3	emacs21_1:26.1+1-3.2+deb10u3_all.deb