- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201801-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNU Emacs: Command injection Date: January 07, 2018 Bugs: #630680 ID: 201801-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been found in Emacs which may allow for arbitrary command execution. Background ========== GNU Emacs is a highly extensible and customizable text editor. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-editors/emacs < 23.4-r16:23 >= 23.4-r16:23 < 24.5-r4:24 >= 24.5-r4:24 < 25.2-r1:25 >= 25.2-r1:25 Description =========== A command injection flaw within the Emacs "enriched mode" handling has been discovered. Impact ====== A remote attacker, by enticing a user to open a specially crafted file, could execute arbitrary commands with the privileges of process. Workaround ========== There is no known workaround at this time. Resolution ========== All GNU Emacs 23.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/emacs-23.4-r16" All GNU Emacs 24.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/emacs-24.5-r4" All GNU Emacs 25.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-editors/emacs-,25.2-r1" References ========== [ 1 ] CVE-2017-14482 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14482 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201801-07