Critical GNU Emacs Vulnerabilities Fixed: Update Now
Recently, Canonical issued security updates to address several Emacs vulnerabilities in multiple Ubuntu releases. Emacs is one of the popular text editors in Linux operating systems. The identified vulnerabilities primarily revolve around improper input and filename sanitization. Attackers could use these issues to execute arbitrary code, putting systems at risk. Applying the necessary patches is crucial to ensuring the security of systems that use Emacs text editor.
Overview of Emacs Vulnerabilities
Below is a detail of the Emacs vulnerabilities that have been fixed in Ubuntu:
CVE-2022-45939 (CVSS v3 Severity Score: 7.8 High)
GNU Emacs up to version 28.2 contains a vulnerability that allows attackers to execute arbitrary commands by exploiting shell metacharacters in source code file names. This issue arises because the `ctags` program, implemented in `lib-src/etags.c`, uses the system C library function. For instance, if a user runs the “ctags *” command (as recommended in the ctags documentation) in a directory with contents influenced by untrusted input, an attacker could leverage this vulnerability to execute malicious commands.
This vulnerability affects Ubuntu 18.04, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
CVE-2022-48337 (CVSS v3 Severity Score: 9.8 Critical)
GNU Emacs up to version 28.2 is vulnerable to command execution attacks through shell metacharacters in source code file names. This issue occurs because the `etags` program, implemented in `lib-src/etags.c`, relies on the system C library function. For example, if a user runs the “etags -u *” command (as recommended in the etags documentation) in a directory with files influenced by untrusted input, an attacker could exploit this vulnerability to execute malicious commands.
This flaw affects Ubuntu 16.04, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
CVE-2022-48338 (CVSS v3 Severity Score: 7.3 High)
A vulnerability was identified in GNU Emacs up to version 28.2, specifically in `ruby-mode.el`. The `ruby-find-library-file` function, which is bound to `C-c C-f`, contains a local command injection flaw. This interactive function calls the external `gem` command using `shell-command-to-string`, but fails to properly escape the `feature-name` parameters. As a result, malicious Ruby source files can exploit this issue to execute arbitrary commands.
This issue impacts only Ubuntu 20.04 LTS.
CVE-2022-48339 (CVSS v3 Severity Score: 7.8 High)
Another vulnerability was discovered in GNU Emacs up to version 28.2, specifically in htmlfontify.el. The hfy-istext command function is susceptible to command injection, as the file and srcdir parameters are derived from external input and are not properly escalated. If a file or directory name contains shell metacharacters, it could lead to the execution of arbitrary code.
This flaw affects Ubuntu 18.04, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
CVE-2023-28617 (CVSS v3 Severity Score: 7.8 High)
The org-babel-execute:latex function in ob-latex.el in Org Mode up to version 9.6.1 for GNU Emacs contains a vulnerability that allows attackers to execute arbitrary commands. This occurs when a filename or directory name includes shell metacharacters.
This flaw also affects Ubuntu 18.04, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
CVE-2024-30205 (CVSS v3 Severity Score: 7.8 High)
In Emacs versions prior to 29.3, Org Mode mistakenly treats the contents of remote files as trusted, posing a security risk. This issue affects Org Mode versions earlier than 9.6.23.
This vulnerability affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, and 22.04 LTS.
CVE-2024-39331 (CVSS v3 Severity Score: 7.8 High)
In Emacs versions prior to 29.4, the org-link-expand-abbrev function in lisp/ol.el expands %(…) link abbreviations even if they include unsafe functions like shell-command-to-string. This vulnerability affects Org Mode versions before 9.7.5.
How To Stay Secure
Given the severity of these vulnerabilities, users of Emacs need to take immediate action by updating to the latest patched version provided by your Linux distribution. For Ubuntu users, Canonical has released security patches for all affected Ubuntu versions, including:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 ESM
- Ubuntu 16.04 ESM
Extended Security Maintenance (ESM) is only available through the Ubuntu Pro subscription and extends the life of outdated Ubuntu releases by providing critical security updates.
TuxCare’s Extended Lifecycle Support (ELS)
Ubuntu 16.04 and Ubuntu 18.04 have already reached their end of life and no longer receive official security updates without extended support. Alternatively, users and organizations can utilize TuxCare’s Extended Lifecycle Support for Ubuntu 16.04 and Ubuntu 18.04 to continue receiving security patches for these releases for up to additional five years after the EOL date.
Additionally, it is important to note that the identified Emacs vulnerabilities are not exclusive to Ubuntu. Distributions like CentOS 7 are also affected, posing a broader security risk across the Linux ecosystem. The ELS team has released patches for these vulnerabilities across different Linux distributions, including CentOS 7. CentOS 7 reached the end of life on June 30, 2024.
ELS currently supports a variety of Linux distributions, including:
- CentOS 6, CentOS 7, and CentOS 8
- CentOS Stream 8
- Oracle Linux 6 and Oracle Linux 7
- Ubuntu 16.04 and Ubuntu 18.04
By deploying these patches, TuxCare ensures that even legacy systems remain protected from the latest Emacs vulnerabilities.
Source: USN-7027-1