GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. Reference and upstream patch: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51
Created emacs tracking bugs for this issue: Affects: fedora-all [bug 2149381]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2366 https://access.redhat.com/errata/RHSA-2023:2366
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3042 https://access.redhat.com/errata/RHSA-2023:3042
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-45939
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1103 https://access.redhat.com/errata/RHSA-2024:1103