CVE-2023-27985

Name
CVE-2023-27985
Description
emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204
MISC https://www.openwall.com/lists/oss-security/2023/03/08/2
MISC http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=d32091199ae5de590a83f1542a01d75fba000467
MLIST http://www.openwall.com/lists/oss-security/2023/03/09/1
MISC https://www.gabriel.urdhr.fr/2023/06/08/emacsclient-mail-shell-elisp-injections/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:* emacs >= 28.1 <= 28.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
emacs 3.17-community 28.2-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
emacs 3.18-community 28.2-r8 Natanael Copa <ncopa@alpinelinux.org> fixed