GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu Mar 20, 2014 11:26 am Post subject: [ GLSA 201403-05 ] GNU Emacs: Multiple vulnerabilities |
 |
|
Gentoo Linux Security Advisory
Title: GNU Emacs: Multiple vulnerabilities (GLSA 201403-05)
Severity: normal
Exploitable: remote
Date: March 20, 2014
Bug(s): #398239, #431178
ID: 201403-05
Synopsis
Two vulnerabilities have been found in GNU Emacs, possibly leading
to user-assisted execution of arbitrary code.
Background
GNU Emacs is a highly extensible and customizable text editor.
Affected Packages
Package: app-editors/emacs
Vulnerable: < 24.1-r1
Unaffected: >= 24.1-r1
Unaffected: >= 23.4-r4 < 23.5
Unaffected: < 23.2
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in GNU Emacs: - When ‘global-ede-mode’ is enabled, EDE in Emacs automatically
loads a Project.ede file from the project directory (CVE-2012-0035).
- When ‘enable-local-variables’’ is set to ‘:safe’, Emacs
automatically processes eval forms (CVE-2012-3479).
Impact
A remote attacker could entice a user to open a specially crafted file,
possibly resulting in execution of arbitrary code with the privileges of
the process or a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All GNU Emacs 24.x users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/emacs-24.1-r1"
|
All GNU Emacs 23.x users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/emacs-23.4-r4"
|
References
CVE-2012-0035
CVE-2012-3479
Last edited by GLSA on Sat Nov 08, 2014 4:33 am; edited 2 times in total |
|
News & Announcements
