CVE-2023-27985

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90

References

Affected packages

Debian:12 / emacs

Package

Name: emacs
Purl: pkg:deb/debian/emacs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:28.2+1-13

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27985.json"

Debian:13 / emacs

Package

Name: emacs
Purl: pkg:deb/debian/emacs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:28.2+1-13

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27985.json"

Debian:14 / emacs

Package

Name: emacs
Purl: pkg:deb/debian/emacs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:28.2+1-13

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27985.json"

Git / git.savannah.gnu.org/git/emacs.git

Affected ranges

Type: GIT
Repo: https://git.savannah.gnu.org/git/emacs.git
Events: Introduced

5a223c7f2ef4c31abbd46367b6ea83cd19d30aa7

Last affected

739b5d0e52d83ec567bd61a5a49ac0e93e0eb469

Affected versions

emacs-28.*

emacs-28.1

emacs-28.1.90

emacs-28.1.91

emacs-28.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27985.json"