important: cryptopp/emacs security update
important
An update for cryptopp/emacs is now available for NewStart CGSL MAIN 7.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
cryptopp:
emacs:
Security Fix(es):
cryptopp: gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to cause a denial of service (application crash) via DER public-key data for an F(2^m) curve, if the degree of each term in the polynomial is not strictly decreasing.(CVE-2023-50980)
cryptopp: ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to cause a denial of service (infinite loop) via crafted DER public-key data associated with squared odd numbers, such as the square of 268995137513890432434389773128616504853.(CVE-2023-50981)
cryptopp: bugfix
emacs: A flaw was found in Emacs. Arbitrary Lisp code can be evaluated when an Org mode file is opened or when the Org mode is being enabled, resulting in arbitrary code execution.(CVE-2024-30202)
emacs: A flaw was found in Emacs. When Emacs is used as an email client, inline MIME attachments are considered to be trusted by default, allowing a crafted LaTeX document to exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.(CVE-2024-30203)
emacs: A flaw was found in Emacs. When Emacs is used as an email client, a preview of a crafted LaTeX document attached to an email can exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.(CVE-2024-30204)
emacs: A flaw was found in Emacs. Org mode considers the content of remote files, such as files opened with TRAMP on remote systems, to be trusted, resulting in arbitrary code execution.(CVE-2024-30205)
emacs: A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.(CVE-2025-1244)
emacs: A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments.(CVE-2024-39331)
emacs: A flaw was found in Emacs. Viewing or editing an untrusted Emacs Lisp source code file can cause arbitrary code execution due to unsafe macro expansion when a user has configured elisp-completion-at-point for code completion or has enabled automatic error checking, such as Flymake or Flycheck.(CVE-2024-53920)
emacs: A flaw was found in the Emacs package. A malicious ruby source file may cause a local command injection.(CVE-2022-48338)
emacs: A flaw was found in the Emacs package. This flaw allows attackers to execute commands via shell metacharacters in the name of a source-code file.(CVE-2022-48337)
emacs: A flaw was found in the Emacs package. If a file name or directory name contains shell metacharacters, arbitrary code may be executed.(CVE-2022-48339)
emacs: A flaw was found in Etags, the Ctags implementation of Emacs. A file with a crafted filename may result in arbitrary command execution when processed by Etags.(CVE-2022-45939)
emacs: A flaw was found in the Emacs text editor. When opened with emacsclient-mail.desktop, a crafted mailto URI can result in shell command injection due to lack of compliance with the Desktop Entry Specification.(CVE-2023-27985)
emacs: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 7.02.03B8.