Gentoo alert 202409-19 (Emacs, org-mode)
| From: | glsamaker@gentoo.org | |
| To: | gentoo-announce@lists.gentoo.org | |
| Subject: | [gentoo-announce] [ GLSA 202409-19 ] Emacs, org-mode: Command Execution Vulnerability | |
| Date: | Sun, 22 Sep 2024 09:04:46 -0000 | |
| Message-ID: | <172699588636.7.15453129463158526688@3f85d36892cf> |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Emacs, org-mode: Command Execution Vulnerability Date: September 22, 2024 Bugs: #934736 ID: 202409-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been found in Emacs and org-mode which could result in arbitrary code execution. Background ========== Emacs is the extensible, customizable, self-documenting real-time display editor. org-mode is an Emacs mode for notes and project planning. Affected packages ================= Package Vulnerable Unaffected ------------------ ------------- -------------- app-editors/emacs < 26.3-r19:26 >= 26.3-r19:26 < 27.2-r17:27 >= 27.2-r17:27 < 28.2-r13:28 >= 28.2-r13:28 < 29.3-r3:29 >= 29.3-r3:29 app-emacs/org-mode < 9.7.5 >= 9.7.5 Description =========== %(...) link abbreviations could specify unsafe functions. Impact ====== Opening a malicious org-mode file could result in arbitrary code execution. Workaround ========== There is no known workaround at this time. Resolution ========== All Emacs users should upgrade to the latest version according to the installed slot, one of: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/emacs-26.3-r19:26" Alternatively: # emerge --ask --oneshot --verbose ">=app-editors/emacs-27.2-r17:27" # emerge --ask --oneshot --verbose ">=app-editors/emacs-28.2-r13:28" # emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r3:29" All org-mode users should upgrade to the latest package: # emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.7.5" References ========== [ 1 ] CVE-2024-39331 https://nvd.nist.gov/vuln/detail/CVE-2024-39331 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-19 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmbv3a4ACgkQFMQkOaVy +9mwdQ/+Kw2Z0I9R2qMEyFytN7kqr4rF8mvKAVqyNNMceE9XqlIMs22aowEh7zeq dokazETB89qZjJPUFt6NEj2gise/vbYWhj2OKj1mfsUGNUZfORkgNuXYm1zxV9G+ 2oAt1C5LWlGab9aK2YmOSCUYeaMBiH6FD9P/zd5x8K7DzsjH3eNJ2LVMgUJxshBY AeKXyOFiZmyqk/aXyxkbrMgrb+AM2N4hUttoNoqQvwzyUXstk+e5VE5JMwccfpsQ qLQSl8VKpgrPwqW6XZlNYV88XoWg2aL7Bi8tqtviNngMllgJLaLPFtLgrgz0mYP5 dQ6LUofWIr/OS4my7Jfj8nglF+32GyVImaLV2SGdaWWPRW9XfToE06CQ0Z5Lqy5c T0f5V3rRs8ao8FBXOGAWtaU2+X0A9RTWt8bY33sD1Y7/JfBQztrQsJ4oHBFeoghW vFYXQUi44zTZ68efFlIAQIN/AyUZIjXE8ZxkKADkWIwzWheMlnqtAtKH2WFU7/7Q 3H6dfzbUwgnK3YIt/5lpZLl8wdAVEA12lLITkMrW8dQzCgS39ZQUkOGvO2kgYHLw 6Vepev1USKsJiFZ/aVjr7Ps8NnwPD/0v/uIUa15QznbnLXG7b1JlB9KMLKdMQA65 tc+gEiYNwTJvIax+3PfLGWnnRVjKPBBGb0GwwcfRqo7bOV4QzpY= =0M+g -----END PGP SIGNATURE-----