git: 3c06e8a44bbc - main - security/vuxml: Document Emacs arbitrary shell code evaluation

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Joseph Mingrone <jrm_at_FreeBSD.org>
Date: Sun, 23 Jun 2024 21:38:00 UTC
The branch main has been updated by jrm:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3c06e8a44bbcbdedea5864d7e9a61596832a4375

commit 3c06e8a44bbcbdedea5864d7e9a61596832a4375
Author:     Joseph Mingrone <jrm@FreeBSD.org>
AuthorDate: 2024-06-23 16:09:54 +0000
Commit:     Joseph Mingrone <jrm@FreeBSD.org>
CommitDate: 2024-06-23 21:35:38 +0000

    security/vuxml: Document Emacs arbitrary shell code evaluation
    
    Emacs 29.4 is an emergency bugfix release intended to fix a security
    vulnerability.  Arbitrary shell commands are no longer run when turning
    on Org mode in order to avoid running malicious code.
    
    Reviewed by:    ashish, yasu
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D45702
---
 security/vuxml/vuln/2024.xml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index 9c61ccf2e938..35ce1022a309 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,31 @@
+  <vuln vid="4f6c4c07-3179-11ef-9da5-1c697a616631">
+    <topic>emacs -- arbitrary Shell code evaluation vulnerability</topic>
+    <affects>
+      <package>
+       <name>emacs</name>
+       <name>emacs-canna</name>
+       <name>emacs-nox</name>
+       <name>emacs-wayland</name>
+       <range><lt>29.3_3,3</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>GNU Emacs developers report:</p>
+	<blockquote cite="https://lists.gnu.org/archive/html/info-gnu-emacs/2024-06/msg00000.html">
+	  <p>Emacs 29.4 is an emergency bugfix release intended to fix a security vulnerability.  Arbitrary shell commands are no longer run when turning on Org mode in order to avoid running malicious code.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <url>https://seclists.org/oss-sec/2024/q2/296</url>
+    </references>
+    <dates>
+      <discovery>2024-06-22</discovery>
+      <entry>2024-06-23</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="82830965-3073-11ef-a17d-5404a68ad561">
     <topic>traefik -- Azure Identity Libraries Elevation of Privilege Vulnerability</topic>
     <affects>