SUSE update for emacs

This security bulletin contains one high risk vulnerability.


1) OS Command Injection


EUVDB-ID: #VU69808


Risk: High


CVSSv3.1:


CVE-ID: CVE-2022-45939


CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')


Exploit availability: No


Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.


The vulnerability exists due to improper input validation when processing name of a source-code file in lib-src/etags.c. A remote attacker can trick the victim to use the "ctags *" command  and execute arbitrary OS commands on the target system in a situation where the current working directory has contents that depend on untrusted input.

Mitigation

Update the affected package emacs to the latest version.


Vulnerable software versions

SUSE Enterprise Storage: 6 - 7.1


SUSE Manager Retail Branch Server: 4.1 - 4.2


SUSE Manager Server: 4.1 - 4.2


SUSE Manager Proxy: 4.1 - 4.2


SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP2


SUSE Linux Enterprise Server: 15-LTSS - 15-SP3


SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP3


SUSE Linux Enterprise Desktop: 15-SP3


SUSE CaaS Platform: 4.0


openSUSE Leap: 15.3


SUSE Linux Enterprise Server for SAP Applications: 15-SP3


SUSE Linux Enterprise Module for Desktop Applications: 15-SP3


SUSE Linux Enterprise Module for Basesystem: 15-SP3


emacs-info: before 25.3-150000.3.12.1


emacs-el: before 25.3-150000.3.12.1


etags-debuginfo: before 25.3-150000.3.12.1


etags: before 25.3-150000.3.12.1


emacs-x11-debuginfo: before 25.3-150000.3.12.1


emacs-x11: before 25.3- ..

Support the originator by clicking the read the rest link below.