GNU Emacs Command Injection Vulnerability via Custom 'man' URI Scheme

A command injection vulnerability has been identified in GNU Emacs, all released versions through 29.4. This vulnerability allows remote, unauthenticated attackers to execute arbitrary shell commands on vulnerable systems. The issue arises from improper handling of custom 'man' URI schemes, which can be exploited by tricking users into visiting specially crafted websites or HTTP URLs with redirects. This vulnerability has been addressed in Emacs version 30.1.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system.

Reproduction

The vulnerability can be reproduced by using 'M-x man' with a reference that includes shell special characters, such as ';', which can be used to inject commands. This can be done manually or by creating a malicious 'man' link in an Org mode file, which will be processed by Emacs and execute the injected command.

Remediation

Users can upgrade to GNU Emacs version 30.1, where this vulnerability has been fixed. Instructions for updating Emacs can be found on the Red Hat Customer Portal.