------------------------------------------------------------------------- Debian LTS Advisory DLA-3848-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sean Whitton June 29, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : org-mode Version : org-mode 9.1.14+dfsg-3+deb10u3 CVE ID : CVE-2024-39331 Debian Bug : 1074136 A vulnerability was discovered in Org-mode, a GNU Emacs major mode for keeping notes, authoring documents, and maintaining to-do lists. The org-link-expand-abbrev function expanded a %(...) link abbrev even when the abbrev specified an unsafe function, such as shell-command-to-string. This could lead to arbitrary code execution as soon as an Org-mode format file was opened, including one embedded in an e-mail message. For Debian 10 buster, these problems have been fixed in version 9.1.14+dfsg-3+deb10u3. We recommend that you upgrade your org-mode packages. For the detailed security status of org-mode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/org-mode Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature