CVE-2022-45939

Name
CVE-2022-45939
Description
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51
Mailing List https://lists.debian.org/debian-lts-announce/2022/12/msg00046.html
Third Party Advisory https://www.debian.org/security/2023/dsa-5314
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GOXIH2FDEQJEAARE52C3GHTLGQFBYPIB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOSK3J7BBAEI4IITW2DRUKLQYUZYKH6Y/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:* emacs >= None <= 28.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
emacs 3.17-community 28.2-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
emacs 3.18-community 28.2-r8 Natanael Copa <ncopa@alpinelinux.org> fixed