[gentoo-announce] [ GLSA 201801-07 ] GNU Emacs: Command injection - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201801-07 ] GNU Emacs: Command injection
Date:	Sun, 07 Jan 2018 23:51:49
Message-Id:	`1702767.t8SCU0XdhO@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201801-07

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: GNU Emacs: Command injection

9

     Date: January 07, 2018

10

     Bugs: #630680

11

       ID: 201801-07

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability has been found in Emacs which may allow for arbitrary

19

command execution.

20

21

Background

22

==========

23

24

GNU Emacs is a highly extensible and customizable text editor.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  app-editors/emacs         < 23.4-r16:23           >= 23.4-r16:23 

33

                                < 24.5-r4:24            >= 24.5-r4:24 

34

                                < 25.2-r1:25            >= 25.2-r1:25 

35

36

Description

37

===========

38

39

A command injection flaw within the Emacs "enriched mode" handling has

40

been discovered.

41

42

Impact

43

======

44

45

A remote attacker, by enticing a user to open a specially crafted file,

46

could execute arbitrary commands with the privileges of process.

47

48

Workaround

49

==========

50

51

There is no known workaround at this time.

52

53

Resolution

54

==========

55

56

All GNU Emacs 23.x users should upgrade to the latest version:

57

58

  # emerge --sync

59

  # emerge --ask --oneshot --verbose ">=app-editors/emacs-23.4-r16"

60

61

All GNU Emacs 24.x users should upgrade to the latest version:

62

63

  # emerge --sync

64

  # emerge --ask --oneshot --verbose ">=app-editors/emacs-24.5-r4"

65

66

All GNU Emacs 25.x users should upgrade to the latest version:

67

68

  # emerge --sync

69

  # emerge --ask --oneshot --verbose ">=app-editors/emacs-,25.2-r1"

70

71

References

72

==========

73

74

[ 1 ] CVE-2017-14482

75

      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14482

76

77

Availability

78

============

79

80

This GLSA and any updates to it are available for viewing at

81

the Gentoo Security Website:

82

83

 https://security.gentoo.org/glsa/201801-07

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201801-07
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: GNU Emacs: Command injection
9	Date: January 07, 2018
10	Bugs: #630680
11	ID: 201801-07
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability has been found in Emacs which may allow for arbitrary
19	command execution.
20
21	Background
22	==========
23
24	GNU Emacs is a highly extensible and customizable text editor.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 app-editors/emacs < 23.4-r16:23 >= 23.4-r16:23
33	< 24.5-r4:24 >= 24.5-r4:24
34	< 25.2-r1:25 >= 25.2-r1:25
35
36	Description
37	===========
38
39	A command injection flaw within the Emacs "enriched mode" handling has
40	been discovered.
41
42	Impact
43	======
44
45	A remote attacker, by enticing a user to open a specially crafted file,
46	could execute arbitrary commands with the privileges of process.
47
48	Workaround
49	==========
50
51	There is no known workaround at this time.
52
53	Resolution
54	==========
55
56	All GNU Emacs 23.x users should upgrade to the latest version:
57
58	# emerge --sync
59	# emerge --ask --oneshot --verbose ">=app-editors/emacs-23.4-r16"
60
61	All GNU Emacs 24.x users should upgrade to the latest version:
62
63	# emerge --sync
64	# emerge --ask --oneshot --verbose ">=app-editors/emacs-24.5-r4"
65
66	All GNU Emacs 25.x users should upgrade to the latest version:
67
68	# emerge --sync
69	# emerge --ask --oneshot --verbose ">=app-editors/emacs-,25.2-r1"
70
71	References
72	==========
73
74	[ 1 ] CVE-2017-14482
75	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14482
76
77	Availability
78	============
79
80	This GLSA and any updates to it are available for viewing at
81	the Gentoo Security Website:
82
83	https://security.gentoo.org/glsa/201801-07