REDHAT-BUG-2149380
First published: Tue Nov 29 2022(Updated: )
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. Reference and upstream patch: <a href="https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51">https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU Emacs | <=28.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2149381
- https://access.redhat.com/errata/RHSA-2023:2366
- https://access.redhat.com/errata/RHSA-2023:3042
- https://access.redhat.com/security/cve/cve-2022-45939
- https://access.redhat.com/errata/RHSA-2024:1103
- https://bugzilla.redhat.com/show_bug.cgi?id=2149380
- agent/severity
- agent/first-publish-date
- agent/description
- agent/event
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-45939
- agent/references
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gnu
- canonical/gnu emacs