CVE-2022-48338: 
NixOS vulnerability analysis and mitigation

A local command injection vulnerability was discovered in GNU Emacs through version 28.2. The vulnerability (CVE-2022-48338) exists in the ruby-find-library-file function within ruby-mode.el. This interactive function, bound to C-c C-f, calls the external command 'gem' through shell-command-to-string without properly escaping the feature-name parameters, potentially allowing malicious Ruby source files to cause command execution (Debian Security).

The vulnerability stems from improper input sanitization in the ruby-find-library-file function of ruby-mode.el. When the function is called, it uses shell-command-to-string to execute the 'gem' command with user-provided input without proper parameter escaping. The function is interactively accessible through the key binding C-c C-f. The issue was fixed by implementing proper shell argument quoting using shell-quote-argument (Emacs Git).

If exploited, this vulnerability could allow an attacker to execute arbitrary shell commands through specially crafted Ruby source files. The impact is limited to local command execution when a user interacts with Ruby files in Emacs (Red Hat CVE).

The vulnerability was fixed in Emacs 28.3-rc1. Users are advised to upgrade to this version or later. The fix involves properly escaping the feature-name parameter using shell-quote-argument in the ruby-find-library-file function. Distribution-specific fixes are available in Debian 11 (Bullseye) version 1:27.1+1-3.1+deb11u2 and Fedora versions 28.3-0.rc1 (Fedora Update, Debian Security).