Описание
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.
A flaw was found in Etags, the Ctags implementation of Emacs. A file with a crafted filename may result in arbitrary command execution when processed by Etags.
Отчет
This vulnerability is only triggered when a local user runs etags with untrusted input, via a file with a crafted filename in the directory or set of files being processed by etags, for example. For this reason, this flaw has been rated with a moderate security impact.
Меры по смягчению последствий
Do not run Etags with untrusted input, in an untrusted directory or set of files, for example.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | emacs | Out of support scope | ||
| Red Hat Enterprise Linux 7 | emacs | Out of support scope | ||
| Red Hat Enterprise Linux 8 | emacs | Fixed | RHSA-2023:3042 | 16.05.2023 |
| Red Hat Enterprise Linux 8 | emacs | Fixed | RHSA-2023:3042 | 16.05.2023 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | emacs | Fixed | RHSA-2024:1103 | 05.03.2024 |
| Red Hat Enterprise Linux 9 | emacs | Fixed | RHSA-2023:2366 | 09.05.2023 |
Показывать по
Дополнительная информация
Статус:
7.8 High
CVSS3
Связанные уязвимости
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.
GNU Emacs through 28.2 allows attackers to execute commands via shell ...
7.8 High
CVSS3