Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200712-03
HistoryDec 09, 2007 - 12:00 a.m.

GNU Emacs: Multiple vulnerabilities

2007-12-0900:00:00
Gentoo Foundation
security.gentoo.org
14

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.011 Low

EPSS

Percentile

84.6%

JSON

Background

GNU Emacs is a highly extensible and customizable text editor.

Description

Drake Wilson reported that the hack-local-variables() function in GNU Emacs 22 does not properly match assignments of local variables in a file against a list of unsafe or risky variables, allowing to override them (CVE-2007-5795). Andreas Schwab (SUSE) discovered a stack-based buffer overflow in the format function when handling values with high precision (CVE-2007-6109).

Impact

Remote attackers could entice a user to open a specially crafted file in GNU Emacs, possibly leading to the execution of arbitrary Emacs Lisp code (via CVE-2007-5795) or arbitrary code (via CVE-2007-6109) with the privileges of the user running GNU Emacs.

Workaround

The first vulnerability can be worked around by setting the “enable-local-variables” option to “nil”, disabling the processing of local variable lists. GNU Emacs prior to version 22 is not affected by this vulnerability. There is no known workaround for the second vulnerability at this time.

Resolution

All GNU Emacs users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-editors/emacs-22.1-r3"
OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-editors/emacs< 22.1-r3UNKNOWN

Related

openvas 12
nessus 9
prion 2
cve 2
fedora 2
ubuntucve 2
securityvulns 2
ubuntu 2
cbl_mariner 2
debiancve 1
openvas
openvas
Gentoo Security Advisory GLSA 200712-03 (emacs)
2008-09-24 00:00:00
Mandriva Update for emacs MDVSA-2008:034 (emacs)
2009-04-09 00:00:00
Gentoo Security Advisory GLSA 200712-03 (emacs)
2008-09-24 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : emacs (MDVSA-2008:034)
2009-04-23 00:00:00
GLSA-200712-03 : GNU Emacs: Multiple vulnerabilities
2007-12-11 00:00:00
Fedora 8 : emacs-22.1-8.fc8 (2007-2946)
2007-11-20 00:00:00
prion
prion
Design/Logic Flaw
2007-11-02 22:46:00
Stack overflow
2007-12-07 11:46:00
cve
cve
CVE-2007-5795
2007-11-02 22:46:00
CVE-2007-6109
2007-12-07 11:46:00
fedora
fedora
[SECURITY] Fedora 7 Update: emacs-22.1-5.fc7
2007-11-17 05:34:28
[SECURITY] Fedora 8 Update: emacs-22.1-8.fc8
2007-11-17 05:33:04
ubuntucve
ubuntucve
CVE-2007-5795
2007-11-02 00:00:00
CVE-2007-6109
2007-12-07 00:00:00
securityvulns
securityvulns
[USN-541-1] Emacs vulnerability
2007-11-14 00:00:00
Emacs safe mode protection bypass
2007-11-14 00:00:00
ubuntu
ubuntu
Emacs vulnerability
2007-11-13 00:00:00
Emacs vulnerabilities
2008-05-06 00:00:00
cbl_mariner
cbl_mariner
CVE-2007-6109 affecting package emacs for versions less than 29.1-1
2024-03-19 17:21:46
CVE-2007-6109 affecting package emacs for versions less than 28.1-5
2023-01-03 20:57:36
debiancve
debiancve
CVE-2007-6109
2007-12-07 11:46:00

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.011 Low

EPSS

Percentile

84.6%

JSON
Related for GLSA-200712-03
openvas12nessus9prion2cve2fedora2ubuntucve2securityvulns2ubuntu2cbl_mariner2debiancve1