[SECURITY] [DLA 3257-1] emacs security update

2022-12-3120:00:00

lists.debian.org

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

33.7%

JSON

Debian LTS Advisory DLA-3257-1 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
December 31, 2022 https://wiki.debian.org/LTS

Package : emacs
Version : 1:26.1+1-3.2+deb10u3
CVE ID : CVE-2022-45939
Debian Bug : 1025009

It was discovered that there was an issue in Emacs where where
attackers could have executed arbitrary commands via shell
metacharacters in the name of a source-code file.

This was because lib-src/etags.c used the system(3) library function
when calling the (external) ctags(1) binary.

For Debian 10 buster, this problem has been fixed in version
1:26.1+1-3.2+deb10u3.

We recommend that you upgrade your emacs packages.

For the detailed security status of emacs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/emacs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10allemacs25-lucid< 1:26.1+1-3.2+deb10u3emacs25-lucid_1:26.1+1-3.2+deb10u3_all.deb
Debian11armelemacs-bin-common-dbgsym< 1:27.1+1-3.1+deb11u1emacs-bin-common-dbgsym_1:27.1+1-3.1+deb11u1_armel.deb
Debian11s390xemacs-gtk-dbgsym< 1:27.1+1-3.1+deb11u1emacs-gtk-dbgsym_1:27.1+1-3.1+deb11u1_s390x.deb
Debian10allemacs22-nox< 1:26.1+1-3.2+deb10u3emacs22-nox_1:26.1+1-3.2+deb10u3_all.deb
Debian11armelemacs-gtk< 1:27.1+1-3.1+deb11u1emacs-gtk_1:27.1+1-3.1+deb11u1_armel.deb
Debian11mipselemacs-bin-common-dbgsym< 1:27.1+1-3.1+deb11u1emacs-bin-common-dbgsym_1:27.1+1-3.1+deb11u1_mipsel.deb
Debian10arm64emacs-bin-common< 1:26.1+1-3.2+deb10u3emacs-bin-common_1:26.1+1-3.2+deb10u3_arm64.deb
Debian11amd64emacs-nox< 1:27.1+1-3.1+deb11u1emacs-nox_1:27.1+1-3.1+deb11u1_amd64.deb
Debian11armhfemacs-bin-common< 1:27.1+1-3.1+deb11u1emacs-bin-common_1:27.1+1-3.1+deb11u1_armhf.deb
Debian11mips64elemacs-gtk-dbgsym< 1:27.1+1-3.1+deb11u1emacs-gtk-dbgsym_1:27.1+1-3.1+deb11u1_mips64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	emacs25-lucid	< 1:26.1+1-3.2+deb10u3	emacs25-lucid_1:26.1+1-3.2+deb10u3_all.deb
Debian	11	armel	emacs-bin-common-dbgsym	< 1:27.1+1-3.1+deb11u1	emacs-bin-common-dbgsym_1:27.1+1-3.1+deb11u1_armel.deb
Debian	11	s390x	emacs-gtk-dbgsym	< 1:27.1+1-3.1+deb11u1	emacs-gtk-dbgsym_1:27.1+1-3.1+deb11u1_s390x.deb
Debian	10	all	emacs22-nox	< 1:26.1+1-3.2+deb10u3	emacs22-nox_1:26.1+1-3.2+deb10u3_all.deb
Debian	11	armel	emacs-gtk	< 1:27.1+1-3.1+deb11u1	emacs-gtk_1:27.1+1-3.1+deb11u1_armel.deb
Debian	11	mipsel	emacs-bin-common-dbgsym	< 1:27.1+1-3.1+deb11u1	emacs-bin-common-dbgsym_1:27.1+1-3.1+deb11u1_mipsel.deb
Debian	10	arm64	emacs-bin-common	< 1:26.1+1-3.2+deb10u3	emacs-bin-common_1:26.1+1-3.2+deb10u3_arm64.deb
Debian	11	amd64	emacs-nox	< 1:27.1+1-3.1+deb11u1	emacs-nox_1:27.1+1-3.1+deb11u1_amd64.deb
Debian	11	armhf	emacs-bin-common	< 1:27.1+1-3.1+deb11u1	emacs-bin-common_1:27.1+1-3.1+deb11u1_armhf.deb
Debian	11	mips64el	emacs-gtk-dbgsym	< 1:27.1+1-3.1+deb11u1	emacs-gtk-dbgsym_1:27.1+1-3.1+deb11u1_mips64el.deb