FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 17:01:17 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
4f6c4c07-3179-11ef-9da5-1c697a616631	emacs -- Arbitrary shell code evaluation vulnerability GNU Emacs developers report: Emacs 29.4 is an emergency bugfix release intended to fix a security vulnerability. Arbitrary shell commands are no longer run when turning on Org mode in order to avoid running malicious code. Discovery 2024-06-22 Entry 2024-06-23 emacs emacs-canna emacs-nox emacs-wayland < 29.3_3,3 emacs-devel emacs-devel-nox < 30.0.50.20240615_1,3 https://seclists.org/oss-sec/2024/q2/296
a75929bd-b6a4-11ed-bad6-080027f5fec9	emacs -- multiple vulnerabilities Xi Lu reports: CVE-2022-48337 GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. CVE-2022-48338 An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. CVE-2022-48339 An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. Discovery 2022-12-06 Entry 2023-02-27 emacs emacs-canna emacs-nox < 28.2_3,3 emacs-devel emacs-devel-nox < 30.0.50.20230101,3 CVE-2022-48337 CVE-2022-48338 CVE-2022-48339 https://www.debian.org/security/2023/dsa-5360

VuXML ID

Description

4f6c4c07-3179-11ef-9da5-1c697a616631

emacs -- Arbitrary shell code evaluation vulnerability

GNU Emacs developers report:

Emacs 29.4 is an emergency bugfix release intended to fix a security vulnerability. Arbitrary shell commands are no longer run when turning on Org mode in order to avoid running malicious code.

Discovery 2024-06-22
Entry 2024-06-23
emacs
emacs-canna
emacs-nox
emacs-wayland

< 29.3_3,3

emacs-devel
emacs-devel-nox

< 30.0.50.20240615_1,3

https://seclists.org/oss-sec/2024/q2/296

a75929bd-b6a4-11ed-bad6-080027f5fec9

emacs -- multiple vulnerabilities

Xi Lu reports:

CVE-2022-48337

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.

CVE-2022-48338

An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.

CVE-2022-48339

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

Discovery 2022-12-06
Entry 2023-02-27
emacs
emacs-canna
emacs-nox

< 28.2_3,3

emacs-devel
emacs-devel-nox

< 30.0.50.20230101,3

CVE-2022-48337
CVE-2022-48338
CVE-2022-48339
https://www.debian.org/security/2023/dsa-5360