PT-2023-9295 · Gnu Emacs+9 · Gnu Emacs+9

Xi Lu

Published

2023-02-20

Updated

2025-03-18

CVE-2022-48339

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GNU Emacs versions through 28.2

Description The issue is related to a command injection vulnerability in the htmlfontify.el module of GNU Emacs. Specifically, the hfy-istext-command function is vulnerable due to the lack of escaping for the file and srcdir parameters, which come from external input. If a file name or directory name contains shell metacharacters, it may lead to the execution of arbitrary code.

Recommendations For GNU Emacs versions through 28.2, consider disabling the hfy-istext-command function until a patch is available to prevent potential exploitation. Restrict access to the htmlfontify.el module to minimize the risk of exploitation. Avoid using the parameters file and srcdir in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1116CWE-116

Related Identifiers

ALSA-2023:2626

ALSA-2023:7083

ALT-PU-2023-5762

AZL-13682

BDU:2024-06037

CESA-2023_3481

CESA-2023_7083

CVE-2022-48339

DLA-3416-1

DSA-5360-1

MGASA-2023-0081

OESA-2023-1148

OPENSUSE-SU-2024:12721-1

RHSA-2023:2626

RHSA-2023:3481

RHSA-2023:7083

RHSA-2023_2626

RHSA-2023_3481

RHSA-2023_7083

RHSA-2024:1103

RHSA-2024:1408

ROSA-SA-2023-2191

ROSA-SA-2024-2433

SUSE-SU-2023:0597-1

SUSE-SU-2023:0598-1

SUSE-SU-2023:0675-1

USN-5955-1

USN-7027-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Gnu Emacs

Linuxmint

Red Hat

Red Os

Suse

Ubuntu

PT-2023-9295 · Gnu Emacs+9 · Gnu Emacs+9

CVE-2022-48339

Weakness Enumeration

Related Identifiers

Affected Products

References · 75