| Package | emacs24 |
|---|---|
| Version | 24.4+1-5+deb8u5 (jessie), 24.5+1-11+deb9u5 (stretch) |
| Related CVEs | CVE-2024-39331 |
A vulnerability was discovered in GNU Emacs, the extensible, customisable, self-documenting display editor.
The org-link-expand-abbrev function expanded a %(…) link abbrev even when the abbrev specified an unsafe function, such as shell-command-to-string. This could lead to arbitrary code execution as soon as an Org-mode format file was opened.
For Debian 8 jessie, these problems have been fixed in version 24.4+1-5+deb8u5.
For Debian 9 stretch, these problems have been fixed in version 24.5+1-11+deb9u5.
We recommend that you upgrade your emacs24 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.