unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
@ 2022-11-24 15:27 lux
  2022-11-24 18:01 ` Eli Zaretskii
  0 siblings, 1 reply; 30+ messages in thread
From: lux @ 2022-11-24 15:27 UTC (permalink / raw)
  To: 59544; +Cc: lux


[-- Attachment #1.1: Type: text/plain, Size: 1710 bytes --]

Hi, In ctags (Emacs <= 28.2.50) has a command execute vulnerability.

When using the -u parameter, ctags will execute external shell commands by calling the system() function, if there are special file names, unexpected shell commands may be executed. The example is as follows:


$ ls
etags.c

$ /usr/local/bin/ctags *.c
$ touch "'| uname -a #.c"
$ /usr/local/bin/ctags -u *.c
Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux


^C/usr/local/bin/ctags: failed to execute shell command


The vulnerability occurs in the following code:


char *z = stpcpy (cmd, "mv ");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, tagfile);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, " OTAGS;grep -Fv '\t");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, argbuffer[i].what);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, "\t' OTAGS &gt;");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, tagfile);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
strcpy (z, ";rm OTAGS");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
if (system (cmd) != EXIT_SUCCESS)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; fatal ("failed to execute shell command");&nbsp; &nbsp; &nbsp;



Because the file name is not checked, the file name is used as a concatenated string:


mv tags OTAGS;grep -Fv '	'| uname -a #.c	' OTAGS &gt;tags;rm OTAGS


Email attachments are patches.

[-- Attachment #1.2: Type: text/html, Size: 2110 bytes --]

[-- Attachment #2: 0001-lib-src-etags.c-Fix-ctags-command-execute-vulnerabil.patch --]
[-- Type: application/octet-stream, Size: 1385 bytes --]

From e21e6d684fbf679f22b69652708e91632c90618b Mon Sep 17 00:00:00 2001
From: lu4nx <lx@shellcodes.org>
Date: Thu, 24 Nov 2022 23:24:54 +0800
Subject: [PATCH] * lib-src/etags.c: Fix ctags command execute vulnerability

---
 lib-src/etags.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/lib-src/etags.c b/lib-src/etags.c
index f665f35fa6..7830db6451 100644
--- a/lib-src/etags.c
+++ b/lib-src/etags.c
@@ -157,6 +157,32 @@ memcpyz (void *dest, void const *src, ptrdiff_t len)
   *e = '\0';
 }
 
+static bool
+filename_has_shell_str(char *s)
+{
+  if (!s)
+    return false;
+
+  char *p = s;
+  while (*p != '\0')
+    {
+      switch (*p)
+        {
+        case '\'':
+        case '"':
+        case '&':
+        case '|':
+        case ';':
+        case '`':
+        case '$':
+          return true;
+        }
+      p++;
+    }
+
+  return false;
+}
+
 static bool
 streq (char const *s, char const *t)
 {
@@ -1400,6 +1426,13 @@ main (int argc, char **argv)
 	    default:
 	      continue;		/* the for loop */
 	    }
+
+          if ( filename_has_shell_str (argbuffer[i].what) )
+            {
+              printf ("Warning, ignore this file: %s\n", argbuffer[i].what);
+              continue;
+            }
+
 	  char *z = stpcpy (cmd, "mv ");
 	  z = stpcpy (z, tagfile);
 	  z = stpcpy (z, " OTAGS;grep -Fv '\t");
-- 
2.38.1


^ permalink raw reply related	[flat|nested] 30+ messages in thread

end of thread, other threads:[~2022-11-27 18:07 UTC | newest]

Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-24 15:27 bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability lux
2022-11-24 18:01 ` Eli Zaretskii
2022-11-24 18:12   ` Stefan Kangas
2022-11-24 18:38     ` Eli Zaretskii
2022-11-25  3:45       ` lux
2022-11-25  6:41       ` lux
2022-11-25  7:53         ` Stefan Kangas
2022-11-25  8:38           ` lux
2022-11-25  8:56             ` Stefan Kangas
2022-11-25 12:19               ` Eli Zaretskii
2022-11-25 12:18         ` Eli Zaretskii
2022-11-25 16:02           ` lux
2022-11-26  0:43             ` Stefan Kangas
2022-11-26  2:30               ` lux
2022-11-26  3:09               ` lux
2022-11-26  9:47                 ` Stefan Kangas
2022-11-26 10:14                   ` Eli Zaretskii
     [not found]                     ` <tencent_A9399566146BF66A0CEFAEE4B3C285839109@qq.com>
2022-11-26 12:28                       ` Eli Zaretskii
2022-11-26 13:03                         ` Stefan Kangas
2022-11-26 14:15                           ` Eli Zaretskii
     [not found]                         ` <tencent_F5BD82AD38AB67E06AB86AE8EE5EE577C309@qq.com>
2022-11-26 14:30                           ` Eli Zaretskii
2022-11-26 13:21                 ` Eli Zaretskii
     [not found]                   ` <tencent_63F9E4F0AB6043CE8C198E1AAA9AD9BB1A07@qq.com>
2022-11-26 14:17                     ` Eli Zaretskii
     [not found]                       ` <tencent_0B66566A766A94EE00E45DC327831B387709@qq.com>
2022-11-26 14:49                         ` Eli Zaretskii
     [not found]                           ` <tencent_B9EE8C5FCD5A8DCF9D8AFC56787AF00AE706@qq.com>
2022-11-26 17:11                             ` Eli Zaretskii
2022-11-27  3:05                               ` lux
2022-11-27  6:35                               ` lux
2022-11-27 14:15                                 ` Eli Zaretskii
2022-11-27 14:31                                   ` Eli Zaretskii
     [not found]                                   ` <tencent_67B00527E64C548D4ECDF55D977C75B84B06@qq.com>
2022-11-27 18:07                                     ` Eli Zaretskii

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).