Security update for emacs SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:2532-1 Final 1 1 2017-09-20T10:34:06Z current 2017-09-20T10:34:06Z 2017-09-20T10:34:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for emacs This update for emacs fixes one issues. This security issue was fixed: - CVE-2017-14482: Remote code execution via mails with 'Content-Type: text/enriched' (bsc#1058425) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-emacs-13285,sleposp3-emacs-13285,slessp3-emacs-13285,slessp4-emacs-13285 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20172532-1/ Link for SUSE-SU-2017:2532-1 https://lists.suse.com/pipermail/sle-security-updates/2017-September/003251.html E-Mail link for SUSE-SU-2017:2532-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1058425 SUSE Bug 1058425 https://www.suse.com/security/cve/CVE-2017-14482/ SUSE CVE CVE-2017-14482 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP3-LTSS SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 emacs-nox-22.3-42.3.1 emacs-22.3-42.3.1 emacs-el-22.3-42.3.1 emacs-info-22.3-42.3.1 emacs-x11-22.3-42.3.1 emacs-22.3-42.3.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 emacs-el-22.3-42.3.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 emacs-info-22.3-42.3.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 emacs-nox-22.3-42.3.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 emacs-x11-22.3-42.3.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 emacs-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS emacs-el-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS emacs-info-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS emacs-nox-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS emacs-x11-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-LTSS emacs-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA emacs-el-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA emacs-info-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA emacs-nox-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA emacs-x11-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA emacs-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 emacs-el-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 emacs-info-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 emacs-nox-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 emacs-x11-22.3-42.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 emacs-22.3-42.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 emacs-el-22.3-42.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 emacs-info-22.3-42.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 emacs-nox-22.3-42.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 emacs-x11-22.3-42.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 emacs-nox-22.3-42.3.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 GNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enriched" data containing an x-display XML element that specifies execution of shell commands, related to an unsafe text/enriched extension in lisp/textmodes/enriched.el, and unsafe Gnus support for enriched and richtext inline MIME objects in lisp/gnus/mm-view.el. In particular, an Emacs user can be instantly compromised by reading a crafted email message (or Usenet news article). CVE-2017-14482 SUSE Linux Enterprise Point of Sale 11 SP3:emacs-22.3-42.3.1 SUSE Linux Enterprise Point of Sale 11 SP3:emacs-el-22.3-42.3.1 SUSE Linux Enterprise Point of Sale 11 SP3:emacs-info-22.3-42.3.1 SUSE Linux Enterprise Point of Sale 11 SP3:emacs-nox-22.3-42.3.1 SUSE Linux Enterprise Point of Sale 11 SP3:emacs-x11-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-LTSS:emacs-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-LTSS:emacs-el-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-LTSS:emacs-info-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-LTSS:emacs-nox-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-LTSS:emacs-x11-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:emacs-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:emacs-el-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:emacs-info-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:emacs-nox-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP3-TERADATA:emacs-x11-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP4:emacs-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP4:emacs-el-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP4:emacs-info-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP4:emacs-nox-22.3-42.3.1 SUSE Linux Enterprise Server 11 SP4:emacs-x11-22.3-42.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:emacs-22.3-42.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:emacs-el-22.3-42.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:emacs-info-22.3-42.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:emacs-nox-22.3-42.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:emacs-x11-22.3-42.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:emacs-nox-22.3-42.3.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20172532-1/ https://www.suse.com/security/cve/CVE-2017-14482.html CVE-2017-14482 https://bugzilla.suse.com/1058425 SUSE Bug 1058425