CVE-2022-48338

EUVD-2022-51038

20.02.2023, 23:15

An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.3 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	7.3 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Affected Products (NVD)

Vendor	Product	Version
gnu	emacs	𝑥 ≤ 28.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

emacs

bookworm	1:28.2+1-15+deb12u3 fixed
bookworm (security)	1:28.2+1-15+deb12u3 fixed
bullseye	1:27.1+1-3.1+deb11u5 fixed
bullseye (security)	1:27.1+1-3.1+deb11u5 fixed
buster	not-affected
sid	1:29.4+1-3 fixed
trixie	1:29.4+1-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

emacs

bionic	dne
focal	not-affected
jammy	needed
kinetic	ignored
lunar	not-affected
mantic	not-affected
noble	not-affected
trusty	ignored
xenial	ignored

emacs23

bionic	dne
focal	dne
jammy	dne
kinetic	dne
trusty	ignored
xenial	dne

emacs24

bionic	dne
focal	dne
jammy	dne
kinetic	dne
trusty	not-affected
xenial	not-affected

emacs25

bionic	not-affected
focal	dne
jammy	dne
kinetic	dne
trusty	dne
xenial	dne

xemacs21

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
trusty	ignored
xenial	needs-triage

xemacs21-packages

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
trusty	ignored
xenial	needs-triage

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/

https://www.debian.org/security/2023/dsa-5360

https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/

https://www.debian.org/security/2023/dsa-5360