发布于3月6日3月6日 Members Oracle Linux: CVE-2024-39331: ELSA-2024-6510:emacs security update (MODERATE) (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 06/23/2024 Created 10/18/2024 Added 10/16/2024 Modified 11/28/2024 Description In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5. A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments. Solution(s) oracle-linux-upgrade-emacs oracle-linux-upgrade-emacs-common oracle-linux-upgrade-emacs-filesystem oracle-linux-upgrade-emacs-lucid oracle-linux-upgrade-emacs-nox oracle-linux-upgrade-emacs-terminal References https://attackerkb.com/topics/cve-2024-39331 CVE - 2024-39331 ELSA-2024-6510 ELSA-2024-6987
