REDHAT-BUG-2329161
First published: Wed Nov 27 2024(Updated: )
In elisp-mode.el in GNU Emacs through 30.0.92, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU Emacs | <=30.0.92 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of REDHAT-BUG-2329161?
REDHAT-BUG-2329161 is considered a significant security vulnerability as it allows for arbitrary code execution through unsafe Lisp macro expansion.
How do I fix REDHAT-BUG-2329161?
To fix REDHAT-BUG-2329161, update to the latest version of GNU Emacs beyond 30.0.92 where the vulnerability has been patched.
Who is affected by REDHAT-BUG-2329161?
Users of GNU Emacs versions up to and including 30.0.92 are potentially affected by REDHAT-BUG-2329161.
What causes the vulnerability REDHAT-BUG-2329161?
The vulnerability REDHAT-BUG-2329161 is caused by invoking elisp-completion-at-point on untrusted Emacs Lisp source code, leading to unsafe macro expansions.
What should I do if I can't update for REDHAT-BUG-2329161?
If you cannot update, avoid using elisp-completion-at-point on untrusted Emacs Lisp source code to mitigate the risks associated with REDHAT-BUG-2329161.
- agent/source
- agent/references
- agent/last-modified-date
- agent/severity
- agent/type
- agent/first-publish-date
- agent/description
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-53920
- vendor/gnu
- canonical/gnu emacs