ALAS-2023-1712 --- emacsID: oval:org.secpod.oval:def:1601684 | Date: (C)2023-04-14 (M)2024-01-03 |
Class: PATCH | Family: unix |
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command in a situation where the current working directory has contents that depend on untrusted input. GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command in a situation where the current working directory has contents that depend on untrusted input. An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed
Platform: |
Amazon Linux AMI |