emacs-26.1-11.el8

エラータID: AXSA:2023-7128:10

Release date: 
Friday, December 22, 2023 - 12:12
Subject: 
emacs-26.1-11.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language (elisp), and the capability to read e-mail and news.

Security Fix(es):

* emacs: command execution via shell metacharacters (CVE-2022-48337)
* emacs: command injection vulnerability in htmlfontify.el (CVE-2022-48339)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Asianux Server 8.9 Release Notes linked from the References section.

CVE-2022-48337
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.
CVE-2022-48339
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

Solution: 

Update packages.

CVEs: 
CVE-2022-48337
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.
CVE-2022-48339
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.
Additional Info: 

N/A

Download: 

SRPMS
  1. emacs-26.1-11.el8.src.rpm
    MD5: a62ff5bca5191c34b5d3f2c3b151d6f3
    SHA-256: facdd61b376c5294de153f6e29df3442ba322c17b1bb3c21d0279cb29a9aed4d
    Size: 42.33 MB

Asianux Server 8 for x86_64
  1. emacs-26.1-11.el8.x86_64.rpm
    MD5: db89e17f5f578f442aa4e6677e23dffa
    SHA-256: d963d9bbf6c18ec49e785000474927ecaa4670fe6db63ba6710be914ddf1d78f
    Size: 3.15 MB
  2. emacs-common-26.1-11.el8.x86_64.rpm
    MD5: ac688d071d795e1f5d9a0314d572f6fa
    SHA-256: edb310336801420febd5f172b5ae17d9a2c2d0faaf87777f8d5b3bd0c63ce131
    Size: 38.36 MB
  3. emacs-filesystem-26.1-11.el8.noarch.rpm
    MD5: a9fee0a8afe570ebe7251d01124d3f53
    SHA-256: a90c17a88cdf9d01a955507ca1f23b97f8fe0e1989039ad7d3a2bc1badd032da
    Size: 68.94 kB
  4. emacs-lucid-26.1-11.el8.x86_64.rpm
    MD5: 5eed92bb5accf1063bd9dc6f66753c5a
    SHA-256: 1e0f448aaa5870e6c6166ab36e79096ef9a441e48b444bfcfe3f4d97a7434240
    Size: 3.13 MB
  5. emacs-nox-26.1-11.el8.x86_64.rpm
    MD5: c054a97857b6b9eb04abcd03e059c906
    SHA-256: 1403b2f69f9a865bf019c33bd817f28792812149d8769f819131224c14c2931d
    Size: 2.75 MB
  6. emacs-terminal-26.1-11.el8.noarch.rpm
    MD5: 44d868d3dbad878ab2e36cdefc1638b4
    SHA-256: 16d57e27fc0a403f1aafd276a180e32de31cb2d1908b5fdae12bea46617b1c0c
    Size: 69.62 kB