Emacs, org-mode: Command Execution Vulnerability — GLSA 202409-19

A vulnerability has been found in Emacs and org-mode which could result in arbitrary code execution.

Affected packages

app-editors/emacs on all architectures
Affected versions < 26.3-r19
< 27.2-r17
< 28.2-r13
< 29.3-r3
Unaffected versions >= 26.3-r19
>= 27.2-r17
>= 28.2-r13
>= 29.3-r3
app-emacs/org-mode on all architectures
Affected versions < 9.7.5
Unaffected versions >= 9.7.5

Background

Emacs is the extensible, customizable, self-documenting real-time display editor. org-mode is an Emacs mode for notes and project planning.

Description

%(...) link abbreviations could specify unsafe functions.

Impact

Opening a malicious org-mode file could result in arbitrary code execution.

Workaround

There is no known workaround at this time.

Resolution

All Emacs users should upgrade to the latest version according to the installed slot, one of:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-editors/emacs-26.3-r19:26"
 

Alternatively:

 # emerge --ask --oneshot --verbose ">=app-editors/emacs-27.2-r17:27"
 
 # emerge --ask --oneshot --verbose ">=app-editors/emacs-28.2-r13:28"
 
 # emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r3:29"
 

All org-mode users should upgrade to the latest package:

 # emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.7.5"
 

References

Release date
September 22, 2024

Latest revision
September 22, 2024: 1

Severity
high

Exploitable
local

Bugzilla entries