First published: Mon Nov 28 2022(Updated: )
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
GNU Emacs | <=28.2 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
debian/emacs | 1:27.1+1-3.1+deb11u5 1:28.2+1-15+deb12u3 1:29.4+1-4 | |
debian/xemacs21 | <=21.4.24-9 | 21.4.24-11 21.4.24-12 |
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-45939 is a vulnerability in GNU Emacs that allows attackers to execute commands through shell metacharacters in the name of a source-code file.
CVE-2022-45939 affects GNU Emacs versions up to 28.2.
CVE-2022-45939 affects Debian Linux versions 10.0 and 11.0.
CVE-2022-45939 affects Fedora Linux versions 36 and 37.
To fix CVE-2022-45939 in GNU Emacs, update to version 28.3 or later.
To fix CVE-2022-45939 in Debian Linux, apply the recommended security updates.
To fix CVE-2022-45939 in Fedora Linux, update to a version that includes the security patch.