This security bulletin contains one high risk vulnerability.
1) OS Command Injection
EUVDB-ID: #VU69808
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-45939
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing name of a source-code file in lib-src/etags.c. A remote attacker can trick the victim to use the "ctags *" command and execute arbitrary OS commands on the target system in a situation where the current working directory has contents that depend on untrusted input.
MitigationUpdate the affected package emacs to the latest version.
Vulnerable software versions
SUSE Enterprise Storage: 6 - 7.1
SUSE Manager Retail Branch Server: 4.1 - 4.2
SUSE Manager Server: 4.1 - 4.2
SUSE Manager Proxy: 4.1 - 4.2
SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP2
SUSE Linux Enterprise Server: 15-LTSS - 15-SP3
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP3
SUSE Linux Enterprise Desktop: 15-SP3
SUSE CaaS Platform: 4.0
openSUSE Leap: 15.3
SUSE Linux Enterprise Server for SAP Applications: 15-SP3
SUSE Linux Enterprise Module for Desktop Applications: 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP3
emacs-info: before 25.3-150000.3.12.1
emacs-el: before 25.3-150000.3.12.1
etags-debuginfo: before 25.3-150000.3.12.1
etags: before 25.3-150000.3.12.1
emacs-x11-debuginfo: before 25.3-150000.3.12.1
emacs-x11: before 25.3- ..
Support the originator by clicking the read the rest link below.