Page MenuHomeFreeBSD
Differential D45702

security/vuxml: Document Emacs < 29.4 vulnerability
ClosedPublic
Actions

Authored by jrm on Jun 23 2024, 4:18 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Feb 28, 10:22 PM
Unknown Object (File)
Fri, Feb 28, 9:46 PM
Unknown Object (File)
Fri, Feb 28, 8:52 PM
Unknown Object (File)
Thu, Feb 27, 11:51 AM
Unknown Object (File)
Feb 1 2025, 2:50 AM
Unknown Object (File)
Jan 18 2025, 10:44 AM
Unknown Object (File)
Jan 9 2025, 9:02 PM
Unknown Object (File)
Dec 25 2024, 12:27 AM
View All 44 Files
Subscribers
None

Details

Reviewers
ashish
yasu
Commits
R11:3c06e8a44bbc: security/vuxml: Document Emacs arbitrary shell code evaluation
Summary

Emacs 29.4 is an emergency bugfix release intended to fix a security
vulnerability. Arbitrary shell commands are no longer run when turning
on Org mode in order to avoid running malicious code.

Obtained from: https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29.4
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
R11 FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jrm requested review of this revision.Jun 23 2024, 4:18 PM
jrm created this revision.
Harbormaster completed remote builds in B58312: Diff 140123.Jun 23 2024, 4:18 PM
jrm added a child revision: D45703: editors/emacs: Update to 24.4, an emergency bugfix release.Jun 23 2024, 4:18 PM
jrm mentioned this in D45704: security/vuxml: Document Emacs < 29.4 vulnerability.Jun 23 2024, 4:21 PM
jrm mentioned this in D45703: editors/emacs: Update to 24.4, an emergency bugfix release.Jun 23 2024, 4:24 PM
yasu added a comment.Jun 23 2024, 6:38 PM

As for reference section,

  1. CVE doesn't seem to be assigned (at least yet), so cvename element should be removed. If assigned later we can add it then.
  2. What about specifying https://lists.gnu.org/archive/html/info-gnu-emacs/2024-06/msg00000.html as the value of url element?
jrm updated this revision to Diff 140143.Jun 23 2024, 8:25 PM

Incorporate suggestions from yasu.

Harbormaster completed remote builds in B58326: Diff 140143.Jun 23 2024, 8:25 PM
jrm updated this revision to Diff 140144.Jun 23 2024, 8:30 PM

Also use mailing list post for citation.

Harbormaster completed remote builds in B58327: Diff 140144.Jun 23 2024, 8:30 PM
yasu accepted this revision.Jun 23 2024, 8:34 PM

LGTM.

This revision is now accepted and ready to land.Jun 23 2024, 8:34 PM
ashish accepted this revision.Jun 23 2024, 9:21 PM

https://seclists.org/oss-sec/2024/q2/296 is the vulnerability announcement post, in case I we wish to add that. Eitherway, the entry looks fine to me. Thanks for working on this.

Closed by commit R11:3c06e8a44bbc: security/vuxml: Document Emacs arbitrary shell code evaluation (authored by jrm). · Explain WhyJun 23 2024, 9:38 PM
This revision was automatically updated to reflect the committed changes.
jrm added a commit: R11:3c06e8a44bbc: security/vuxml: Document Emacs arbitrary shell code evaluation.

Revision Contents
Changeset List

PathSize
security/
vuxml/
vuln/
28 lines

Diff 140148

View Options

security/vuxml/vuln/2024.xml

Loading...