| Package | emacs25 |
|---|---|
| Version | 25.1+1-4+deb9u5 (stretch) |
| Related CVEs | CVE-2024-39331 |
A vulnerability was discovered in GNU Emacs, the extensible, customisable, self-documenting display editor.
The org-link-expand-abbrev function expanded a %(…) link abbrev even when the abbrev specified an unsafe function, such as shell-command-to-string. This could lead to arbitrary code execution as soon as an Org-mode format file was opened.
For Debian 9 stretch, these problems have been fixed in version 25.1+1-4+deb9u5.
We recommend that you upgrade your emacs25 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.