CVE-2023-27985
Summary
| CVE | CVE-2023-27985 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-03-09 06:15:00 UTC |
| Updated | 2023-06-09 07:15:00 UTC |
| Description | emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90 |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Shell command and Emacs Lisp injection in emacsclient-mail.desktop - /dev/posts/ | MISC | www.gabriel.urdhr.fr | |
| oss-security - Shell command and Emacs Lisp code injection in emacsclient-mail.desktop | MISC | www.openwall.com | |
| emacs.git - Emacs source repository | MISC | git.savannah.gnu.org | |
| oss-security - Re: Shell command and Emacs Lisp code injection in emacsclient-mail.desktop | MLIST | www.openwall.com | |
| #60204 - 28.2; Invalid Exec key in etc/emacsclient-mail.desktop - GNU bug report logs | MISC | debbugs.gnu.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 183175 Debian Security Update for emacs (CVE-2023-27985)
- 355108 Amazon Linux Security Advisory for emacs : ALAS2023-2023-134
- 502848 Alpine Linux Security Update for emacs
- 503181 Alpine Linux Security Update for emacs
- 506041 Alpine Linux Security Update for emacs
- 906645 Common Base Linux Mariner (CBL-Mariner) Security Update for emacs (25581-3)