发布于3月6日3月6日 Members Amazon Linux 2023: CVE-2024-39331: Important priority package update for emacs Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 06/23/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5. A flaw was found in Emacs. Arbitrary shell commands can be executed without prompting when an Org mode file is opened or when the Org mode is enabled, when Emacs is used as an email client, this issue can be triggered when previewing email attachments. Solution(s) amazon-linux-2023-upgrade-emacs amazon-linux-2023-upgrade-emacs-common amazon-linux-2023-upgrade-emacs-common-debuginfo amazon-linux-2023-upgrade-emacs-debuginfo amazon-linux-2023-upgrade-emacs-debugsource amazon-linux-2023-upgrade-emacs-devel amazon-linux-2023-upgrade-emacs-filesystem amazon-linux-2023-upgrade-emacs-lucid amazon-linux-2023-upgrade-emacs-lucid-debuginfo amazon-linux-2023-upgrade-emacs-nox amazon-linux-2023-upgrade-emacs-nox-debuginfo amazon-linux-2023-upgrade-emacs-terminal References https://attackerkb.com/topics/cve-2024-39331 CVE - 2024-39331 https://alas.aws.amazon.com/AL2023/ALAS-2024-663.html
