Your message dated Wed, 22 Feb 2023 20:35:33 +0000 with message-id <e1puvpt-00fjr7...@fasolo.debian.org> and subject line Bug#1031730: fixed in emacs 1:28.2+1-11 has caused the Debian Bug report #1031730, regarding emacs: CVE-2022-48339 CVE-2022-48338 CVE-2022-48337 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1031730: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031730 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: emacs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for emacs. CVE-2022-48339[0]: | An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has | a command injection vulnerability. In the hfy-istext-command function, | the parameter file and parameter srcdir come from external input, and | parameters are not escaped. If a file name or directory name contains | shell metacharacters, code may be executed. https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c CVE-2022-48338[1]: | An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, | the ruby-find-library-file function has a local command injection | vulnerability. The ruby-find-library-file function is an interactive | function, and bound to C-c C-f. Inside the function, the external | command gem is called through shell-command-to-string, but the | feature-name parameters are not escaped. Thus, malicious Ruby source | files may cause commands to be executed. https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c CVE-2022-48337[2]: | GNU Emacs through 28.2 allows attackers to execute commands via shell | metacharacters in the name of a source-code file, because lib- | src/etags.c uses the system C library function in its implementation | of the etags program. For example, a victim may use the "etags -u *" | command (suggested in the etags documentation) in a situation where | the current working directory has contents that depend on untrusted | input. https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-48339 https://www.cve.org/CVERecord?id=CVE-2022-48339 [1] https://security-tracker.debian.org/tracker/CVE-2022-48338 https://www.cve.org/CVERecord?id=CVE-2022-48338 [2] https://security-tracker.debian.org/tracker/CVE-2022-48337 https://www.cve.org/CVERecord?id=CVE-2022-48337 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: emacs Source-Version: 1:28.2+1-11 Done: Sean Whitton <spwhit...@spwhitton.name> We believe that the bug you reported is fixed in the latest version of emacs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1031...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sean Whitton <spwhit...@spwhitton.name> (supplier of updated emacs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 22 Feb 2023 11:01:50 -0700 Source: emacs Architecture: source Version: 1:28.2+1-11 Distribution: unstable Urgency: high Maintainer: Rob Browning <r...@defaultvalue.org> Changed-By: Sean Whitton <spwhit...@spwhitton.name> Closes: 1031730 Changes: emacs (1:28.2+1-11) unstable; urgency=high . * Cherry-pick upstream fixes for command injection vulnerabilities (CVE-2022-48337, CVE-2022-48338, CVE-2022-48339) (Closes: #1031730). Checksums-Sha1: 223dc2f593382eccceafc981e05660ef6427632f 2995 emacs_28.2+1-11.dsc b40e13562fceaff333833d18f75e5723be3a79fb 119512 emacs_28.2+1-11.debian.tar.xz Checksums-Sha256: b9cdcf6248a472293f12b8e6dfc302e43fe4b87bda5262a393f6df30e7b496a6 2995 emacs_28.2+1-11.dsc 043409b864361b16b0baf338dd7d5b85d1d0db07e16af1b2d7e9edaec4055815 119512 emacs_28.2+1-11.debian.tar.xz Files: e8fe1e2fb7af9e707fcfa67a916484c6 2995 editors optional emacs_28.2+1-11.dsc a3a3ec1a4cc1fa36daee7ff11ba4abc9 119512 editors optional emacs_28.2+1-11.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmP2d60ACgkQaVt65L8G YkAbYA/6A16PGRRsgiG+nNQxo8689pHwlkX5vMr6/pvdnR3/RAZEn4+JdkFrr0l6 QPaylkVjiE34x7CPS3Ur0HUsM+xd8LsDYlhRoAhTMynfHOdk2ddPIhReMgoSoi38 rgzQQv9so+x/Cb6kfYw9zn6SZq/iLLErZSJdalhGDAdND2/ygRcvZpTCN8shPrE0 HX4wDQXlxBcTfUq1RuKAjyU8jzf+LeGMpBCU1O2k+JX3eWEN3qFBXZf3PuT1U0+u zsmM5pCMlxuEsNk6DLl5M35CcQte5CQ3Ui7wf6hqTsqP/5olH1tve0w8Uxs5MAbI RttaSuDUU5fUKIcoFGUL8SCVyJBrCzEhNlDsfOPJVVTOBWUpu0W6Or2k8ox2mogx 129Mi9ELKeZdoW4c79tteDK273KkMrkws73QnbF3gV1WBArDrWY+RNFrObL2YWAL 5bn/LxrHY9SOER2d84dMYGUlWylQ5+ENYPJODO4EJ1fN4WvCYaRO0APFbvepz/z0 rDBwKhFP4JWJ+/cNjV8qV4yT8LEt6YzM9ouC9gdGfYHdH1bjf2kk0tVcofayY2K+ XXhgIDBwwcInZ9kLQIMgKWt7z+Uw4IIGeOAG42iSWckiNlVZuF2yBVx1kCbukMFO gpjodzW+2p4m7R+HvHwPMdv+vmq3x1JYT73nLdTi0744K8Mswvc= =bP4G -----END PGP SIGNATURE-----
--- End Message ---
