ALAS-2025-849

Amazon Linux 2023 Security Advisory: ALAS-2025-849
Advisory Release Date: 2025-02-12 22:57 Pacific
Advisory Updated Date: 2025-02-21 13:45 Pacific
Severity: Important
Issue Overview:

In elisp-mode.el in GNU Emacs through 30.0.92, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.) (CVE-2024-53920)


Affected Packages:

emacs


Issue Correction:
Run dnf update emacs --releasever 2023.6.20250218 to update your system.

New Packages:
aarch64:
    emacs-lucid-debuginfo-28.2-3.amzn2023.0.9.aarch64
    emacs-common-debuginfo-28.2-3.amzn2023.0.9.aarch64
    emacs-devel-28.2-3.amzn2023.0.9.aarch64
    emacs-nox-debuginfo-28.2-3.amzn2023.0.9.aarch64
    emacs-debuginfo-28.2-3.amzn2023.0.9.aarch64
    emacs-debugsource-28.2-3.amzn2023.0.9.aarch64
    emacs-nox-28.2-3.amzn2023.0.9.aarch64
    emacs-28.2-3.amzn2023.0.9.aarch64
    emacs-lucid-28.2-3.amzn2023.0.9.aarch64
    emacs-common-28.2-3.amzn2023.0.9.aarch64

noarch:
    emacs-filesystem-28.2-3.amzn2023.0.9.noarch
    emacs-terminal-28.2-3.amzn2023.0.9.noarch

src:
    emacs-28.2-3.amzn2023.0.9.src

x86_64:
    emacs-nox-debuginfo-28.2-3.amzn2023.0.9.x86_64
    emacs-lucid-debuginfo-28.2-3.amzn2023.0.9.x86_64
    emacs-common-debuginfo-28.2-3.amzn2023.0.9.x86_64
    emacs-debuginfo-28.2-3.amzn2023.0.9.x86_64
    emacs-devel-28.2-3.amzn2023.0.9.x86_64
    emacs-debugsource-28.2-3.amzn2023.0.9.x86_64
    emacs-28.2-3.amzn2023.0.9.x86_64
    emacs-nox-28.2-3.amzn2023.0.9.x86_64
    emacs-lucid-28.2-3.amzn2023.0.9.x86_64
    emacs-common-28.2-3.amzn2023.0.9.x86_64

Additional References

Red Hat: CVE-2024-53920

Mitre: CVE-2024-53920