CVE-2017-14482

NameCVE-2017-14482
DescriptionGNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enriched" data containing an x-display XML element that specifies execution of shell commands, related to an unsafe text/enriched extension in lisp/textmodes/enriched.el, and unsafe Gnus support for enriched and richtext inline MIME objects in lisp/gnus/mm-view.el. In particular, an Emacs user can be instantly compromised by reading a crafted email message (or Usenet news article).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1101-1, DSA-3970-1, DSA-3975-1
Debian Bugs875447, 875448, 875449

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
emacs23sourcewheezy23.4+1-4+deb7u1DLA-1101-1
emacs23source(unstable)(unfixed)875449
emacs24sourcejessie24.4+1-5+deb8u1DSA-3970-1
emacs24sourcestretch24.5+1-11+deb9u1DSA-3970-1
emacs24source(unstable)(unfixed)875448
emacs25sourcestretch25.1+1-4+deb9u1DSA-3975-1
emacs25source(unstable)25.2+1-6875447

Notes

https://www.openwall.com/lists/oss-security/2017/09/11/1
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70
Search for package or bug name: Reporting problems