SB2024032629 - Fedora 40 update for emacs
Published: March 26, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30205)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to Emacs in Org mode considers contents of remote files to be trusted. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.
2) Use of Potentially Dangerous Function (CVE-ID: CVE-2024-30202)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to usage of dangerous method when processing untrusted files. A remote attacker can trick the victim to open a specially crafted document and execute arbitrary Lisp code as part of turning on Org mode.
3) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30203)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to Gnus treats inline MIME contents as trusted. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.4) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30204)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to LaTeX preview is enabled by default for e-mail attachments. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.Remediation
Install update from vendor's website.