PT-2023-9295 · Gnu Emacs+9 · Gnu Emacs+9

Xi Lu

·

Publicado

2023-02-20

·

Atualizado

2025-03-18

·

CVE-2022-48339

CVSS v3.1

7.8

Alta

VetorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions GNU Emacs versions through 28.2
Description The issue is related to a command injection vulnerability in the htmlfontify.el module of GNU Emacs. Specifically, the hfy-istext-command function is vulnerable due to the lack of escaping for the file and srcdir parameters, which come from external input. If a file name or directory name contains shell metacharacters, it may lead to the execution of arbitrary code.
Recommendations For GNU Emacs versions through 28.2, consider disabling the hfy-istext-command function until a patch is available to prevent potential exploitation. Restrict access to the htmlfontify.el module to minimize the risk of exploitation. Avoid using the parameters file and srcdir in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Encoding or Escaping of Output

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1116CWE-116

Identificadores relacionados

ALSA-2023:2626
ALSA-2023:7083
ALT-PU-2023-5762
AZL-13682
BDU:2024-06037
CESA-2023_3481
CESA-2023_7083
CVE-2022-48339
DLA-3416-1
DSA-5360-1
MGASA-2023-0081
OESA-2023-1148
OPENSUSE-SU-2024:12721-1
RHSA-2023:2626
RHSA-2023:3481
RHSA-2023:7083
RHSA-2023_2626
RHSA-2023_3481
RHSA-2023_7083
RHSA-2024:1103
RHSA-2024:1408
ROSA-SA-2023-2191
ROSA-SA-2024-2433
SUSE-SU-2023:0597-1
SUSE-SU-2023:0598-1
SUSE-SU-2023:0675-1
USN-5955-1
USN-7027-1

Produtos afetados

Alt Linux
Almalinux
Astra Linux
Centos
Gnu Emacs
Linuxmint
Red Hat
Red Os
Suse
Ubuntu