From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Tue, 10 Oct 2023 00:30:06 +0800 Message-ID: References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de> <83jzryz6op.fsf@gnu.org> <87a5sugwcx.fsf@gmx.de> <83h6n2z3tr.fsf@gnu.org> <831qe5znrz.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-PyOEwl+ewaSzzvy50QcG" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="35394"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.50.0-1 Cc: 66390@debbugs.gnu.org, michael.albinus@gmx.de To: Eli Zaretskii , Max Nikulin Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Oct 09 18:31:59 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qptAj-0008yc-OQ for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 09 Oct 2023 18:31:58 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qptAV-0000Pv-RW; Mon, 09 Oct 2023 12:31:43 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qptAU-0000P1-8j for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 12:31:42 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qptAU-0006uY-0U for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 12:31:42 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qptAo-0003Ff-C6 for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 12:32:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: lux Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 09 Oct 2023 16:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.169686907012408 (code B ref 66390); Mon, 09 Oct 2023 16:32:02 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 16:31:10 +0000 Original-Received: from localhost ([127.0.0.1]:60767 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpt9y-0003E4-5T for submit@debbugs.gnu.org; Mon, 09 Oct 2023 12:31:10 -0400 Original-Received: from out203-205-251-72.mail.qq.com ([203.205.251.72]:34995) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpt9u-0003DS-A8 for 66390@debbugs.gnu.org; Mon, 09 Oct 2023 12:31:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1696869029; bh=dsUoDWprUirfk86JsQkkrnM+J0aJ7OHhqrKZKCk3bk0=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=xop5dw0Ojp7n+TwGDIzgYXDCNukzMDmKX1QiB/TjCT494H3UjAQTsTw9/U8SXiZ5j CY+DErI4IcdGra4+5E6z3c90ed++soGunDpolMuMRv2rxUlCPztWNB1p7SgV2Pg7mZ GLNBll8a39fyEcj8x2syJ5ZmjZ1Z1Jc4hEl39rs8= Original-Received: from [IPv6:240e:399:e6f:ee32:191c:f145:5e9e:d7e0] ([240e:399:e6f:ee32:191c:f145:5e9e:d7e0]) by newxmesmtplogicsvrsza12-0.qq.com (NewEsmtp) with SMTP id 786B04B2; Tue, 10 Oct 2023 00:30:06 +0800 X-QQ-mid: xmsmtpt1696869006t5epu5ma7 X-QQ-XMAILINFO: OLsBWtCIHsg6RK0h22podySFFH3Hm4N3iVl1kDAcASYfq1bWBzZMmxXNpDJF19 SkO+yUfc3Hwxg6Y1EzeqR1QAQo4EbAuCvgmZW6CRyfdQJ+au02ae1ZLEI0rGsa+yy8k3mbPz4vLJ j56Nk67xNL6R2SeYcHDK6I0yv0T6iJoHOU+v6aJ4cV3GRnC3UP2Ti4UmdESBZXvL6AMWdsVdY33V 9xgFSd9y9fCl4bnRX5kYliBmD8EhhuQPe+02o0LY7osUMaxHLOKqhczm2mnCp+3OG8S77V8kvJS/ 6UZd4V6Ljjsy68gesEf/PhREkfUEceW9taWxwpXMiOowUFJfWYu92JW9vNRH1u8+e+x/tdeBkR20 ZVlFJGuiV2m6LeuBRX/854iYcZcnRQTJSg5uAqm/remcZ80LhGm2ElkDbYPGmfQMapD+5XU5c/pD D0YMx/NidVZdBKF8rKlEyicE61BlN6/cBgCFO6pRnLf0uqQA+wdrSan3JFivmjQGP2vyRGN0/nEm XD6cW6q6T1jdKvH74vwntYIF5pb6itK7TmIV3DpxiE8mTVXCCbLlTe7eo8Q/ForgMI1KnCNhwhW9 ovipVOCellYcgrVEzjSSElauAb3zT0pJOCT3FxP1B4CbfYxp89W3NmakI/aSiExIDimaUEzR1UEi EMSQXO4AJ3OZOtFmZ6jC7vKd3uBt7QJwyaCNBq6sg60BmQpWt1oL3W6NJyAJPUj7iKROzHxQVqeF OYoIuygnU+zQaYcLJMN/3PfStWCAoxBaeV9o4AE92JmWmZgcDXsFguPWXk5Er1GWD5j8CXB43zyV CLj9WOIyf+2oiNePXZCAYIz1dX3NX1gjGoN4sk/V X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU= X-OQ-MSGID: <0dd3584d2bc7d2f904e36c2110c1b293f440ce52.camel@shellcodes.org> In-Reply-To: <831qe5znrz.fsf@gnu.org> Autocrypt: addr=lx@shellcodes.org; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUY eTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5Y X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272154 Archived-At: --=-PyOEwl+ewaSzzvy50QcG Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2023-10-08 at 08:28 +0300, Eli Zaretskii wrote: > > Date: Sun, 8 Oct 2023 10:37:33 +0700 > > Cc: 66390@debbugs.gnu.org > > From: Max Nikulin > >=20 > > On 08/10/2023 01:26, Eli Zaretskii wrote: > > >=20 > > > So the problem _is_ with the shell?=C2=A0 If so, the best way of avoi= ding > > > these problems is not invoke 'man' via the shell, but via call-proces= s > > > and its ilk instead. > >=20 > > It will be great if it is possible to avoid shell in the middle. Howeve= r > > - man.el uses pipes with sed and awk to post-process output of man=20 > > executable. > > - if support of remote man files is considered then it is even more har= d=20 > > to avoid shell. SSH assumes shell commands. >=20 > Even if sometimes the shell cannot be avoided (which has yet to be > established, AFAIU), it's not an argument against avoiding it where > possible, because that solves any security issues, definitely those > you brought up. >=20 > > I had in mind using at least `shell-quote-argument'. >=20 > That doesn't work with 'man', which has its own ideas about quoting, > besides shell-related quoting. >=20 > > The issues of sanitizing outputs in callers > > - If there was a safe function in man.el then callers code would be mor= e=20 > > simple, so it would be less probable to introduce bugs in such code. > > - behavior of the `man' emacs command is *underspecified*, so it is har= d=20 > > to provide safe argument for it. Some parenthesis are allowed as in=20 > > "man(1)" others may be interpreted by shell. > > - `shell-quote-argument' in callers would rely on man.el implementation= =20 > > details at best or may even lead to undefined behavior since I see have= =20 > > no way to bypass some processing of the argument of the `man' emacs com= mand. >=20 > Reiterating what you already said doesn't help to have a productive > discussion. >=20 > > Execution a part of `man' emacs command argument by shell is a surprise= =20 > > to the user any case. Ideally elisp code should prevent it and man.el= =20 > > should emit an error. >=20 > IMO, this ideal cannot be reached in practice, let alone kept for any > length of time.=C2=A0 Systems are adding strangely-named man pages all th= e > time.=C2=A0 We had quite a few bug reports about that during the recent > years. >=20 > > Attempts to call of `man' from other packages is an open door for=20 > > security vulnerabilities. >=20 > Then perhaps those other packages shouldn't call 'man'. >=20 >=20 >=20 Hi,=C2=A0 There is indeed an code injection vulnerability issue here, for example: (man ";ls") <-- The `ls' command will be executed. I think the fix can start with the `Man-translate-references' function. Here's my patch and the test cases. --=-PyOEwl+ewaSzzvy50QcG Content-Disposition: attachment; filename="0001-Fix-man.el-code-injection-vulnerability.patch" Content-Type: text/x-patch; name="0001-Fix-man.el-code-injection-vulnerability.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSAxYzI5MDVkOTNkM2NiYTk2NmE3ZDI0NGY0YzI3OGM3MjBjZWZmMzc4IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFR1ZSwg MTAgT2N0IDIwMjMgMDA6MjE6MzEgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggbWFuLmVsIGNv ZGUgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkuCgoqIGxpc3AvbWFuLmVsIChNYW4tdHJhbnNsYXRl LXJlZmVyZW5jZXMpOiBGaXggY29kZSBpbmplY3Rpb24uCiogdGVzdC9saXNwL21hbi10ZXN0cy5l bCAobWFuLXRlc3RzLU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyk6IE5ldy4KLS0tCiBsaXNwL21h bi5lbCAgICAgICAgICAgIHwgIDIgKy0KIHRlc3QvbGlzcC9tYW4tdGVzdHMuZWwgfCAxMCArKysr KysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDExIGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkK CmRpZmYgLS1naXQgYS9saXNwL21hbi5lbCBiL2xpc3AvbWFuLmVsCmluZGV4IDI4NmVkZjkzMTRl Li40MzgzOTk1OTYyMiAxMDA2NDQKLS0tIGEvbGlzcC9tYW4uZWwKKysrIGIvbGlzcC9tYW4uZWwK QEAgLTY4NCw3ICs2ODQsNyBAQCBNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMKICAgICAgIChzZXRx IG5hbWUgKG1hdGNoLXN0cmluZyAyIHJlZikKIAkgICAgc2VjdGlvbiAobWF0Y2gtc3RyaW5nIDEg cmVmKSkpKQogICAgIChpZiAoc3RyaW5nPSBuYW1lICIiKQotCXJlZgkJCQk7IFJldHVybiB0aGUg cmVmZXJlbmNlIGFzIGlzCisJKHNoZWxsLXF1b3RlLWFyZ3VtZW50IHJlZikgICAgICA7IFJldHVy biB0aGUgcmVmZXJlbmNlIGFzIGlzCiAgICAgICAoaWYgTWFuLWRvd25jYXNlLXNlY3Rpb24tbGV0 dGVycy1mbGFnCiAJICAoc2V0cSBzZWN0aW9uIChkb3duY2FzZSBzZWN0aW9uKSkpCiAgICAgICAo d2hpbGUgc2xpc3QKZGlmZiAtLWdpdCBhL3Rlc3QvbGlzcC9tYW4tdGVzdHMuZWwgYi90ZXN0L2xp c3AvbWFuLXRlc3RzLmVsCmluZGV4IGUzNjU3ZDdkZjhhLi40ODU3MDk2N2EwOSAxMDA2NDQKLS0t IGEvdGVzdC9saXNwL21hbi10ZXN0cy5lbAorKysgYi90ZXN0L2xpc3AvbWFuLXRlc3RzLmVsCkBA IC0xNjEsNiArMTYxLDE2IEBAIG1hbi1iZ3Byb2MtZmlsdGVyLWJ1dHRvbml6ZS1pbmNsdWRlcwog ICAgICAgICAgIChsZXQgKChidXR0b24gKGJ1dHRvbi1hdCAobWF0Y2gtYmVnaW5uaW5nIDApKSkp CiAgICAgICAgICAgICAoc2hvdWxkIChhbmQgYnV0dG9uIChlcSAnTWFuLXhyZWYtaGVhZGVyLWZp bGUgKGJ1dHRvbi10eXBlIGJ1dHRvbikpKSkpKSkpKSkKIAorKGVydC1kZWZ0ZXN0IG1hbi10ZXN0 cy1NYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMgKCkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFu c2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUiKQorICAgICAgICAgICAgICAgICAiYmFzZW5hbWUi KSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUo MykiKQorICAgICAgICAgICAgICAgICAiMyBiYXNlbmFtZSIpKQorICAoc2hvdWxkIChlcXVhbCAo TWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzICJiYXNlbmFtZSgzdikiKQorICAgICAgICAgICAgICAg ICAiM3YgYmFzZW5hbWUiKSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFuc2xhdGUtcmVmZXJl bmNlcyAiO2lkIikKKyAgICAgICAgICAgICAgICAgIlxcO2lkIikpKQorCiAocHJvdmlkZSAnbWFu LXRlc3RzKQogCiA7OzsgbWFuLXRlc3RzLmVsIGVuZHMgaGVyZQotLSAKMi40Mi4wCgo= --=-PyOEwl+ewaSzzvy50QcG--