SB20250328383 - Anolis OS update for emacs

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Use of Potentially Dangerous Function (CVE-ID: CVE-2024-30202)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to usage of dangerous method when processing untrusted files. A remote attacker can trick the victim to open a specially crafted document and execute arbitrary Lisp code as part of turning on Org mode.

2) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30203)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to Gnus treats inline MIME contents as trusted. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.

3) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30204)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to LaTeX preview is enabled by default for e-mail attachments. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.

4) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30205)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to Emacs in Org mode considers contents of remote files to be trusted. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2024:1071