Skip to content

1.147.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 20 Sep 15:45
· 27 commits to main since this release
1.147.0
2f114fb

Notably, this release addresses:

USN-7027-1 Emacs vulnerabilities:

  • CVE-2024-39331:
    In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...)
    link abbrev even when it specifies an unsafe function, such as
    shell-command-to-string. This affects Org Mode before 9.7.5.
  • CVE-2024-30205:
    In Emacs before 29.3, Org mode considers contents of remote files to be
    trusted. This affects Org Mode before 9.6.23.
  • CVE-2024-30203:
    In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
  • CVE-2023-28617:
    org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU
    Emacs allows attackers to execute arbitrary commands via a file name or
    directory name that contains shell metacharacters.
  • CVE-2022-48339:
    An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a
    command injection vulnerability. In the hfy-istext-command function, the
    parameter file and parameter srcdir come from external input, and
    parameters are not escaped. If a file name or directory name contains shell
    metacharacters, code may be executed.
  • CVE-2024-30204:
    In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
    attachments.
  • CVE-2022-48338:
    An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the
    ruby-find-library-file function has a local command injection
    vulnerability. The ruby-find-library-file function is an interactive
    function, and bound to C-c C-f. Inside the function, the external command
    gem is called through shell-command-to-string, but the feature-name
    parameters are not escaped. Thus, malicious Ruby source files may cause
    commands to be executed.
  • CVE-2022-48337:
    GNU Emacs through 28.2 allows attackers to execute commands via shell
    metacharacters in the name of a source-code file, because lib-src/etags.c
    uses the system C library function in its implementation of the etags
    program. For example, a victim may use the "etags -u *" command (suggested
    in the etags documentation) in a situation where the current working
    directory has contents that depend on untrusted input.
  • CVE-2022-45939:
    GNU Emacs through 28.2 allows attackers to execute commands via shell
    metacharacters in the name of a source-code file, because lib-src/etags.c
    uses the system C library function in its implementation of the ctags
    program. For example, a victim may use the "ctags *" command (suggested in
    the ctags documentation) in a situation where the current working directory
    has contents that depend on untrusted input.
-ii  libpcap0.8:amd64 1.10.1-4build1          amd64 system interface for user-level packet capture
+ii  libpcap0.8:amd64 1.10.1-4ubuntu1.22.04.1 amd64 system interface for user-level packet capture```
Assets 3
Loading