Vulnerability Details : CVE-2012-3479
lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes eval forms in local-variable sections when the enable-local-variables option is set to :safe, which allows user-assisted remote attackers to execute arbitrary Emacs Lisp code via a crafted file.
Products affected by CVE-2012-3479
- cpe:2.3:a:gnu:emacs:23.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:emacs:23.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:emacs:23.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:emacs:24.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-3479
1.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-3479
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
References for CVE-2012-3479
-
http://www.securitytracker.com/id?1027375
GNU Emacs 'enable-local-variables' Safe Setting Can Be Bypassed Leading to Command Execution - SecurityTracker
-
http://www.securityfocus.com/bid/54969
GNU Emacs 'enable-local-variables' Remote Code Execution Vulnerability
-
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2012&m=slackware-security.420006
The Slackware Linux Project: Slackware Security Advisories
-
http://www.openwall.com/lists/oss-security/2012/08/13/1
oss-security - Security flaw in GNU Emacs file-local variablesPatch
-
http://www.openwall.com/lists/oss-security/2012/08/13/2
oss-security - Re: Security flaw in GNU Emacs file-local variables
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:076
mandriva.com
-
http://lists.opensuse.org/opensuse-updates/2012-10/msg00057.html
openSUSE-SU-2012:1348-1: moderate: emacs and depending packages
-
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12155
#12155 - 24.1; Potential Security Flaw with `enable-local-eval', `enable-local-variables' - GNU bug report logs
-
http://www.debian.org/security/2013/dsa-2603
Debian -- Security Information -- DSA-2603-1 emacs23
-
http://www.ubuntu.com/usn/USN-1586-1
USN-1586-1: Emacs vulnerabilities | Ubuntu security notices
Jump to