oss-sec mailing list archives
Shell command and Emacs Lisp code injection in emacsclient-mail.desktop
From: Gabriel Corona <gabriel.corona () free fr>
Date: Wed, 8 Mar 2023 12:37:29 +0100
emacsclient-mail.desktop is vulnerable to shell command injections and Emacs Lisp injections through a crafted mailto: URI. This has been introduced in Emacs 28.1: http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=b1b05c828d67930bb3b897fe98e1992db42cf23c A fix for shell command injection is currently included in the upcoming 28.3 branch: http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=d32091199ae5de590a83f1542a01d75fba000467 A fix for both is currently included in the upcoming 29.1 branch: http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
Current thread:
- Shell command and Emacs Lisp code injection in emacsclient-mail.desktop Gabriel Corona (Mar 08)
- Re: Shell command and Emacs Lisp code injection in emacsclient-mail.desktop Salvatore Bonaccorso (Mar 08)