emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#59544: closed ([PATCH] Fixed lib-src/etags.c command execute vulnera

From: GNU bug Tracking System
Subject: bug#59544: closed ([PATCH] Fixed lib-src/etags.c command execute vulnerability)
Date: Sun, 27 Nov 2022 18:08:02 +0000 
Your message dated Sun, 27 Nov 2022 20:07:54 +0200
with message-id <83edtop8xx.fsf@gnu.org>
and subject line Re: bug#59544: [PATCH] Fixed lib-src/etags.c command execute 
vulnerability
has caused the debbugs.gnu.org bug report #59544,
regarding [PATCH] Fixed lib-src/etags.c command execute vulnerability
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
59544: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59544
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
--- Begin Message --- Subject: [PATCH] Fixed lib-src/etags.c command execute vulnerability Date: Thu, 24 Nov 2022 23:27:13 +0800 Hi, In ctags (Emacs <= 28.2.50) has a command execute vulnerability.

When using the -u parameter, ctags will execute external shell commands by calling the system() function, if there are special file names, unexpected shell commands may be executed. The example is as follows:

$ ls
etags.c
$ /usr/local/bin/ctags *.c
$ touch "'| uname -a #.c"
$ /usr/local/bin/ctags -u *.c
Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

^C/usr/local/bin/ctags: failed to execute shell command

The vulnerability occurs in the following code:

char *z = stpcpy (cmd, "mv ");                   
z = stpcpy (z, tagfile);                         
z = stpcpy (z, " OTAGS;grep -Fv '\t");           
z = stpcpy (z, argbuffer[i].what);               
z = stpcpy (z, "\t' OTAGS >");                   
z = stpcpy (z, tagfile);                         
strcpy (z, ";rm OTAGS");                         
if (system (cmd) != EXIT_SUCCESS)               
  fatal ("failed to execute shell command");     

Because the file name is not checked, the file name is used as a concatenated string:

mv tags OTAGS;grep -Fv ' '| uname -a #.c ' OTAGS >tags;rm OTAGS

Email attachments are patches.

Attachment: 0001-lib-src-etags.c-Fix-ctags-command-execute-vulnerabil.patch
Description: Binary data


--- End Message ---
--- Begin Message --- Subject: Re: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability Date: Sun, 27 Nov 2022 20:07:54 +0200 
> Date: Sun, 27 Nov 2022 23:44:07 +0800
> From: lux <lx@shellcodes.org>
> 
> On Sun, 27 Nov 2022 16:15:38 +0200
> Eli Zaretskii <eliz@gnu.org> wrote:
> 
> > But something is wrong with the 2 new tests: they fail.  I replaced
> > the "good" files with the ones I get on my system, but the test fails
> > on another system.  Could you please look into the test failures and
> > find a fix?
> 
> Hi, I think because the order of the tag data of the files generated by
> different OS environments is different.
> 
> I sorted the file using the sort command, test ok.
> 
> ctags_update: CTAGS.good_update ${infiles}
>       head -n 100 CTAGS.good_update > CTAGS
>       tail -n 100 CTAGS.good_update >> CTAGS
>       ${RUN} ${CTAGS_PROG} -o CTAGS -u ${ARGS}
>       diff -u --suppress-common-lines --width=80 <(sort
> CTAGS.good_update) <(sort CTAGS)
> 
>       cp crlf CTAGS
>       ${RUN} ${CTAGS_PROG} -o CTAGS -u ${ARGS}
>       diff -u --suppress-common-lines --width=80 <(sort
>       CTAGS.good_crlf) <(sort CTAGS)

Thanks, I installed a variant of this using more portable commands.

And with that, I'm closing this bug.

--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]