ALAS2022-2023-277

Amazon Linux 2022 Security Advisory: ALAS-2023-277
Advisory Release Date: 2023-01-20 16:44 Pacific
Advisory Updated Date: 2023-01-24 21:14 Pacific
Severity: Important
Issue Overview:

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. (CVE-2022-45939)


Affected Packages:

emacs


Issue Correction:
Run dnf update emacs to update your system.

New Packages:
aarch64:
    emacs-devel-28.1-2.amzn2022.0.1.aarch64
    emacs-common-debuginfo-28.1-2.amzn2022.0.1.aarch64
    emacs-debugsource-28.1-2.amzn2022.0.1.aarch64
    emacs-common-28.1-2.amzn2022.0.1.aarch64
    emacs-nox-28.1-2.amzn2022.0.1.aarch64
    emacs-lucid-28.1-2.amzn2022.0.1.aarch64
    emacs-28.1-2.amzn2022.0.1.aarch64
    emacs-lucid-debuginfo-28.1-2.amzn2022.0.1.aarch64
    emacs-nox-debuginfo-28.1-2.amzn2022.0.1.aarch64
    emacs-debuginfo-28.1-2.amzn2022.0.1.aarch64

noarch:
    emacs-terminal-28.1-2.amzn2022.0.1.noarch
    emacs-filesystem-28.1-2.amzn2022.0.1.noarch

src:
    emacs-28.1-2.amzn2022.0.1.src

x86_64:
    emacs-common-debuginfo-28.1-2.amzn2022.0.1.x86_64
    emacs-devel-28.1-2.amzn2022.0.1.x86_64
    emacs-debugsource-28.1-2.amzn2022.0.1.x86_64
    emacs-nox-28.1-2.amzn2022.0.1.x86_64
    emacs-common-28.1-2.amzn2022.0.1.x86_64
    emacs-lucid-28.1-2.amzn2022.0.1.x86_64
    emacs-28.1-2.amzn2022.0.1.x86_64
    emacs-nox-debuginfo-28.1-2.amzn2022.0.1.x86_64
    emacs-debuginfo-28.1-2.amzn2022.0.1.x86_64
    emacs-lucid-debuginfo-28.1-2.amzn2022.0.1.x86_64

Additional References

Red Hat: CVE-2022-45939

Mitre: CVE-2022-45939