From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability Date: Sat, 26 Nov 2022 16:49:56 +0200 Message-ID: <83h6ylsrcb.fsf@gnu.org> References: <837czkw7sl.fsf@gnu.org> <8335a8w643.fsf@gnu.org> <83fse7ut10.fsf@gnu.org> <83y1rxsvf6.fsf@gnu.org> <83r0xpssto.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="14979"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 59544@debbugs.gnu.org, stefankangas@gmail.com To: lux Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Nov 26 15:50:16 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oywVU-0003ev-3L for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 26 Nov 2022 15:50:16 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oywVI-0000WN-7A; Sat, 26 Nov 2022 09:50:04 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oywVG-0000Vt-CU for bug-gnu-emacs@gnu.org; Sat, 26 Nov 2022 09:50:02 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oywVG-0007wT-3J for bug-gnu-emacs@gnu.org; Sat, 26 Nov 2022 09:50:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oywVF-0005l9-Vy for bug-gnu-emacs@gnu.org; Sat, 26 Nov 2022 09:50:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 26 Nov 2022 14:50:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59544 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security patch Original-Received: via spool by 59544-submit@debbugs.gnu.org id=B59544.166947418222109 (code B ref 59544); Sat, 26 Nov 2022 14:50:01 +0000 Original-Received: (at 59544) by debbugs.gnu.org; 26 Nov 2022 14:49:42 +0000 Original-Received: from localhost ([127.0.0.1]:38358 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oywUw-0005kX-6y for submit@debbugs.gnu.org; Sat, 26 Nov 2022 09:49:42 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:42448) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oywUu-0005kI-Bt for 59544@debbugs.gnu.org; Sat, 26 Nov 2022 09:49:40 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oywUm-0007rs-Bl; Sat, 26 Nov 2022 09:49:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From: Date; bh=b//K48aPSFvLDIXQh/ZY53peRZMjEj8Au3xxsLAhM4o=; b=SFYnsmaNialmR89tqcrv BkfHUuNFkLpEH3NtYxqgW59Ss9tgjUpTc22OxXRNjh0Nsac2b4HPIaW9nyQzHYwnTRkW7PBKJXifb aHqjG7D+8HdpVpT5HKCTrN/Md2SDu7x1PVCYgAQVCwfwmv7HPzozyl0h0OczKo5QcKuvRHwjNeOOK iwuQNWl+f3hbvYqdcy8GOh1wjntDqLHgd0U+KLsoHYRhU0CGkuUdgcsoAxA2qQY3ldkHzPYl8TCmv XOM9JkRdyLq0edAmHN31Yi3g+Rx+yJvsZTmdjtFPGwQLTwwHQsAQjaXQkgON2Zg2K8raU3M1OHApe PQAmZ3qh+6rH3Q==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oywUl-0003qD-O7; Sat, 26 Nov 2022 09:49:32 -0500 In-Reply-To: (message from lux on Sat, 26 Nov 2022 22:26:22 +0800) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:249101 Archived-At: > Date: Sat, 26 Nov 2022 22:26:22 +0800 > Cc: stefankangas@gmail.com, 59544@debbugs.gnu.org > From: lux > > Yes, but I think it violates the original author's intention, and it > seems that there is no occasion to use this parameter in etags? > > /* >  * Read a line of text from `stream' into `lbp', excluding the >  * newline or CR-NL, if any.  Return the number of characters read from >  * `stream', which is the length of the line including the newline. >  * >  * On DOS or Windows we do not count the CR character, if any before the >  * NL, in the returned length; this mirrors the behavior of Emacs on those >  * platforms (for text files, it translates CR-NL to NL as it reads in the >  * file). The above is about the character counts written in TAGS tables, which are produced by etags, not by ctags. Files produced by crags only count lines, not characters. So the above comment is not relevant to ctags. More importantly, the original tags file could have been written by a utility other than our ctags, and I don't think we should change the EOL format of such a file when we update it.