emacs is vulnerable to Command Injection. The vulnerability exists due to the feature-name
parameter in the ruby-find-library-file
function and bound to C-c C-f.
functions are not properly escaped, allowing an attacker to inject and execute malicious commands by calling through shell-command-to-string
git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/
lists.fedoraproject.org/archives/list/[email protected]/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/
lists.fedoraproject.org/archives/list/[email protected]/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/
security-tracker.debian.org/tracker/CVE-2022-48338
www.debian.org/security/2023/dsa-5360