Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2023-0081)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2023.0081

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2023-0081)

Resumen: The remote host is missing an update for the 'emacs' package(s) announced via the MGASA-2023-0081 advisory.

Descripción: Summary:
The remote host is missing an update for the 'emacs' package(s) announced via the MGASA-2023-0081 advisory.

Vulnerability Insight:
GNU Emacs through 28.2 allows attackers to execute commands via shell
metacharacters in the name of a source-code file, because lib-src/etags.c
uses the system C library function in its implementation of the etags
program. For example, a victim may use the 'etags -u *' command (suggested
in the etags documentation) in a situation where the current working
directory has contents that depend on untrusted input. (CVE-2022-48337)

An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the
ruby-find-library-file function has a local command injection
vulnerability. The ruby-find-library-file function is an interactive
function, and bound to C-c C-f. Inside the function, the external command
gem is called through shell-command-to-string, but the feature-name
parameters are not escaped. Thus, malicious Ruby source files may cause
commands to be executed. (CVE-2022-48338)

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a
command injection vulnerability. In the hfy-istext-command function, the
parameter file and parameter srcdir come from external input, and
parameters are not escaped. If a file name or directory name contains
shell metacharacters, code may be executed. (CVE-2022-48339)

Affected Software/OS:
'emacs' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2022-48337
Debian Security Information: DSA-5360 (Google Search)
https://www.debian.org/security/2023/dsa-5360
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html
Common Vulnerability Exposure (CVE) ID: CVE-2022-48338
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
Common Vulnerability Exposure (CVE) ID: CVE-2022-48339
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c

Copyright Copyright (C) 2023 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2023.0081
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2023-0081)
Resumen:	The remote host is missing an update for the 'emacs' package(s) announced via the MGASA-2023-0081 advisory.
Descripción:	Summary: The remote host is missing an update for the 'emacs' package(s) announced via the MGASA-2023-0081 advisory. Vulnerability Insight: GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the 'etags -u *' command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. (CVE-2022-48337) An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. (CVE-2022-48338) An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. (CVE-2022-48339) Affected Software/OS: 'emacs' package(s) on Mageia 8. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2022-48337 Debian Security Information: DSA-5360 (Google Search) https://www.debian.org/security/2023/dsa-5360 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/ https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html Common Vulnerability Exposure (CVE) ID: CVE-2022-48338 https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c Common Vulnerability Exposure (CVE) ID: CVE-2022-48339 https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c
Copyright	Copyright (C) 2023 Greenbone AG