Your message dated Sat, 03 Dec 2022 01:05:33 +0000 with message-id <e1p1gyd-00bau1...@fasolo.debian.org> and subject line Bug#1025009: fixed in emacs 1:28.2+1-8 has caused the Debian Bug report #1025009, regarding emacs: CVE-2022-45939: ctags local command execute vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1025009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025009 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: emacs Version: 1:28.2+1-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for emacs. CVE-2022-45939[0]: | GNU Emacs through 28.2 allows attackers to execute commands via shell | metacharacters in the name of a source-code file, because lib- | src/etags.c uses the system C library function in its implementation | of the ctags program. For example, a victim may use the "ctags *" | command (suggested in the ctags documentation) in a situation where | the current working directory has contents that depend on untrusted | input. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-45939 https://www.cve.org/CVERecord?id=CVE-2022-45939 [1] https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: emacs Source-Version: 1:28.2+1-8 Done: Sean Whitton <spwhit...@spwhitton.name> We believe that the bug you reported is fixed in the latest version of emacs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1025...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sean Whitton <spwhit...@spwhitton.name> (supplier of updated emacs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 01 Dec 2022 18:44:21 -0700 Source: emacs Architecture: source Version: 1:28.2+1-8 Distribution: unstable Urgency: high Maintainer: Rob Browning <r...@defaultvalue.org> Changed-By: Sean Whitton <spwhit...@spwhitton.name> Closes: 1025009 Changes: emacs (1:28.2+1-8) unstable; urgency=high . * Fix ctags local command execution vulnerability (CVE-2022-45939) (Closes: #1025009). Checksums-Sha1: 5afea10937cf3a841a96fec70c6c46d50b675e54 2990 emacs_28.2+1-8.dsc d3a05d21b0d1a0c447dddf59cd909e679a5d867f 115548 emacs_28.2+1-8.debian.tar.xz Checksums-Sha256: aefb3295e82e0576530aabf1f2f7954d87a794a56e16de9e6b0784888e974910 2990 emacs_28.2+1-8.dsc 0948559619da06efbfe47756eee17bc3ee801a374679e06af42ed4bb173f6804 115548 emacs_28.2+1-8.debian.tar.xz Files: 90d2039d43042c23f19a9628a4f2d780 2990 editors optional emacs_28.2+1-8.dsc b8352a99781a4eab35ae47e6cdd4bdf8 115548 editors optional emacs_28.2+1-8.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIyBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmOKm3MACgkQaVt65L8G YkBrYA/4uky3zHircnHkFzj1NgW5EymWcXZRtx8g37GEpJa7rqwlTkzyvFHjxoUD 0phedatVd3Q58eDEUgatD1Ub9hGZJRRe5v7BOq8B2Ze8ihB2uZ5CWbNaYvui8dnG oL4VZvGZw2/QlHyHAOxVwCdgTVHubxDN22e92SI5htEfMlrxnNjE0C4NxawTcjin 1yaa6pHwLg0CU0z5g7qEZEHg4x9W85eB0tExp0W55FaPZPq/kvwbWW4zDyq6v/4G stVD5kowsDYticba8LHtXaanEG/mAk9orNwP46qOxpcgXot7IJxECWyC6jcqXksJ N7YU4nuRorYOXxLY2mGBmvBt9TFeBGLFJ9GNesekn1NJnnYrb1GUVJIZ/PnuBMhB sWdTuze0hnP/z+ojdU8rxfyIoZZkqhliyeqgU/GNOgzJlp/S+4RP3PRy9La9y1Q6 5iXNcxVXafp2kHKdW1I7uiXts7AvYCiM56O0zwiFs/A16fpSqkUgZbLn9WL31Up+ Ec+ebGcgMdg8C6IOnjEx1ZtUMhZSeTOZ7eG+fmYI4jyUsKekNu9tCYp40Uowvl0d iae3ZPK1QE9KweKQdlKmUfWb1OnPu0nax/brt45IjiNhmoRpIsfMPpLD0/dAJWjI fQqCQsj5jRHdLD/iII1/OukbSVfliv58HWzv3QYCo6IbA5/RNw== =xmqI -----END PGP SIGNATURE-----
--- End Message ---
