Subject: | |
From: | |
Reply To: | |
Date: | Tue, 19 Sep 2017 22:13:44 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Tue, 19 Sep 2017, Pat Riehecky wrote:
> Synopsis: Important: emacs security update
> Advisory ID: SLSA-2017:2771-1
> Issue Date: 2017-09-19
> CVE Numbers: CVE-2017-14482
> --
>
> Security Fix(es):
>
> * A command injection flaw within the Emacs "enriched mode" handling has
> been discovered. By tricking an unsuspecting user into opening a specially
> crafted file using Emacs, a remote attacker could exploit this flaw to
> execute arbitrary commands with the privileges of the Emacs user.
> (CVE-2017-14482)
I see from https://access.redhat.com/security/cve/CVE-2017-14482
that RedHat have marked this "wont fix" on RHEL6 and "investigating"
on RHEL5, which seems odd - I'd have expected the other way around
(unless a RHEL5 customer is paying for it).
Yes, there is a workaround, but I imagine that emacs is commonly used
on RHEL6 and SL6 servers and it only takes one careless mistake...
How do other SL6 users feel about this "wont fix" ?
I'm trying to write my own patch, but seem to be struggling to patch
a file near a ctrl-L character ...
--
Andrew C. Aitchison Cambridge, UK
[log in to unmask]
|
|
|