From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Tue, 10 Oct 2023 22:30:03 +0800 Message-ID: References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de> <83jzryz6op.fsf@gnu.org> <87a5sugwcx.fsf@gmx.de> <83h6n2z3tr.fsf@gnu.org> <831qe5znrz.fsf@gnu.org> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-dHXcW2HU6s+HOY92wqUK" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="34976"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.50.0-1 Cc: 66390@debbugs.gnu.org, michael.albinus@gmx.de To: Max Nikulin , Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Oct 10 16:32:26 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qqDmc-0008rQ-5b for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 10 Oct 2023 16:32:26 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qqDm6-00007I-T5; Tue, 10 Oct 2023 10:31:54 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qqDlw-000064-Ls for bug-gnu-emacs@gnu.org; Tue, 10 Oct 2023 10:31:47 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qqDls-0001Br-S8 for bug-gnu-emacs@gnu.org; Tue, 10 Oct 2023 10:31:44 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qqDmD-0000wm-Pr for bug-gnu-emacs@gnu.org; Tue, 10 Oct 2023 10:32:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: lux Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 10 Oct 2023 14:32:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.16969482653535 (code B ref 66390); Tue, 10 Oct 2023 14:32:01 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 14:31:05 +0000 Original-Received: from localhost ([127.0.0.1]:36687 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqDlJ-0000uw-6U for submit@debbugs.gnu.org; Tue, 10 Oct 2023 10:31:05 -0400 Original-Received: from out203-205-221-239.mail.qq.com ([203.205.221.239]:45052) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqDlD-0000uE-Kh for 66390@debbugs.gnu.org; Tue, 10 Oct 2023 10:31:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1696948226; bh=tFg3bARd2TZVDKIzpVishAMuEpt3wohH7dGeXB8YRqE=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=uxinFPykOLUwMxsldH2LO/rzwr2DrBfCIsoVIRN19dDcioM0jkuF8nJdVPghxBrFe aTvj7NGB70oZ948JizfbKEZJOry0zU7dbe5C5QvSzoTgsoytNGhiI0XeFlFr7pC3hE OKFGdoO/mEaM1ARMebDNJ7BlFH53K2erH7GSpTOw= Original-Received: from [IPv6:240e:399:e6f:ee32:d16f:6236:55f6:6273] ([240e:399:e6f:ee32:d16f:6236:55f6:6273]) by newxmesmtplogicsvrsza7-0.qq.com (NewEsmtp) with SMTP id 783B02E5; Tue, 10 Oct 2023 22:30:03 +0800 X-QQ-mid: xmsmtpt1696948203t5jrf5cly X-QQ-XMAILINFO: MRMtjO3A6C9XcUkATALXaKMURMr92/xsgL56X/jBXD5QBoFxC2j7zPrXqhe4SR px4ya/EGocKnPHMoVvOErPio1VKs6rRQ1xPQ7ufyJaBQyc0kY18SIHX9oYe30Yp1w+ngOT99u36n YsDppQXdLbnD6dzX3VtFUjIFXNLAoBIrEMQWZx3UM+qlKF7yxTErCBxqLlHTOTkaUyML1d+F6+fa 5tr10evisCV6d5NEvazVD5XD8reKh3UqXzumD7mP/KcSqkKkF/xDhcJZq5165uewOtIvjRIRoYn/ gR66ZfnYchqdkzQrgo3XH8/8BZe8Sp7XBJivfZ20dDuSVnnRzmbyO5uSqwGFeKcqkxPMqMb+Ujgt cszYw837GavkeWMByJJre1D9oJhe1XGBgxRClFkbqc/EfM3vKRHYzvctO53v7U16kQQOh1cGVLqv DNin/Szv6p6twIbHTZ+ayLzlrvppg08kLtoUu0PZOALUaxZGCsRGVzbPLncYFO+eon0bsCtl9H4A Iw+r4wP7BRneqDPiEsx79ugu5cBIzMtKIiCtCNV7f1icAv/y4sIOp4Akm7Qi1eIqeli16M0EK6Ns vnLb/SHjExPYiVsgzrYtiarn/V2b4dsavnWiajDlFkEqGEfg8bI9vJAbreoY9xsDu016tYexcjIr 4pVC9Ieliy/bNxH6t3MdzxS0yNWjNTCV9cIBxV3wljdNpmaQv4kFjyTGBjKDF/bF5wGuBEeEhtVU 7sKYUEk9vUwLyjyzWvvkMCAL+LeNp3wwqhiyKr23jFLHrvp7otuUIKljETV6uyAmr5QAIoM37WTc wiyh9Zcbu74FJIuJ26NufT9AjXxZmvU+3xvfGHB4 X-QQ-XMRINFO: MSVp+SPm3vtS1Vd6Y4Mggwc= X-OQ-MSGID: In-Reply-To: <262ed9fe-b92b-489d-b1f0-5202bfdb088b@gmail.com> Autocrypt: addr=lx@shellcodes.org; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUY eTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5Y X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272220 Archived-At: --=-dHXcW2HU6s+HOY92wqUK Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2023-10-10 at 17:54 +0700, Max Nikulin wrote: > On 09/10/2023 23:30, lux wrote: > >=20 > > Here's my patch and the test cases. >=20 > Thank you for your attempt to fix the issue. Unfortunately the proposed= =20 > patch breaks the following case >=20 > =C2=A0=C2=A0=C2=A0 M-x man RET -k man RET >=20 > That is why I wrote that each word should escaped independently. >=20 > I am unsure if (man "-k man") should be supported as call with argument. >=20 >=20 >=20 Thanks for the correction :-) I am fix my patch, and test on Emacs 30.0.50 it's ok. Stefan, Max, can you test it again? --=-dHXcW2HU6s+HOY92wqUK Content-Disposition: attachment; filename="0001-Fix-man.el-code-injection-vulnerability.patch" Content-Type: text/x-patch; name="0001-Fix-man.el-code-injection-vulnerability.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBjMTk4OWMxNTE3MWE0YTQwZGNmNmY5YmZiZjI5NzVjMGI3ODk1ZGQyIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFR1ZSwg MTAgT2N0IDIwMjMgMjI6MjA6MDUgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggbWFuLmVsIGNv ZGUgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkuCgoqIGxpc3AvbWFuLmVsIChNYW4tdHJhbnNsYXRl LXJlZmVyZW5jZXMpOiBGaXggY29kZSBpbmplY3Rpb24uCiogdGVzdC9saXNwL21hbi10ZXN0cy5l bCAobWFuLXRlc3RzLU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyk6IE5ldy4KLS0tCiBsaXNwL21h bi5lbCAgICAgICAgICAgIHwgIDYgKysrKystCiB0ZXN0L2xpc3AvbWFuLXRlc3RzLmVsIHwgMTIg KysrKysrKysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDE3IGluc2VydGlvbnMoKyksIDEgZGVsZXRp b24oLSkKCmRpZmYgLS1naXQgYS9saXNwL21hbi5lbCBiL2xpc3AvbWFuLmVsCmluZGV4IDUwNmQ2 MDYwMjY5Li45ZDhiM2E2Y2YyZCAxMDA2NDQKLS0tIGEvbGlzcC9tYW4uZWwKKysrIGIvbGlzcC9t YW4uZWwKQEAgLTY5Miw3ICs2OTIsMTEgQEAgTWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzCiAgICAg ICAoc2V0cSBuYW1lIChtYXRjaC1zdHJpbmcgMiByZWYpCiAJICAgIHNlY3Rpb24gKG1hdGNoLXN0 cmluZyAxIHJlZikpKSkKICAgICAoaWYgKHN0cmluZz0gbmFtZSAiIikKLQlyZWYJCQkJOyBSZXR1 cm4gdGhlIHJlZmVyZW5jZSBhcyBpcworICAgICAgICA7OyBzZWUgQnVnIzY2MzkwCisJKG1hcGNv bmNhdCAnaWRlbnRpdHkKKyAgICAgICAgICAgICAgICAgICAobWFwY2FyICMnc2hlbGwtcXVvdGUt YXJndW1lbnQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgIChzcGxpdC1zdHJpbmcgcmVmICIg IikpCisgICAgICAgICAgICAgICAgICAgIiAiKSAgICAgICAgICAgICAgICAgOyBSZXR1cm4gdGhl IHJlZmVyZW5jZSBhcyBpcwogICAgICAgKGlmIE1hbi1kb3duY2FzZS1zZWN0aW9uLWxldHRlcnMt ZmxhZwogCSAgKHNldHEgc2VjdGlvbiAoZG93bmNhc2Ugc2VjdGlvbikpKQogICAgICAgKHdoaWxl IHNsaXN0CmRpZmYgLS1naXQgYS90ZXN0L2xpc3AvbWFuLXRlc3RzLmVsIGIvdGVzdC9saXNwL21h bi10ZXN0cy5lbAppbmRleCBlMzY1N2Q3ZGY4YS4uMWM2ZGNiNjNhNWMgMTAwNjQ0Ci0tLSBhL3Rl c3QvbGlzcC9tYW4tdGVzdHMuZWwKKysrIGIvdGVzdC9saXNwL21hbi10ZXN0cy5lbApAQCAtMTYx LDYgKzE2MSwxOCBAQCBtYW4tYmdwcm9jLWZpbHRlci1idXR0b25pemUtaW5jbHVkZXMKICAgICAg ICAgICAobGV0ICgoYnV0dG9uIChidXR0b24tYXQgKG1hdGNoLWJlZ2lubmluZyAwKSkpKQogICAg ICAgICAgICAgKHNob3VsZCAoYW5kIGJ1dHRvbiAoZXEgJ01hbi14cmVmLWhlYWRlci1maWxlIChi dXR0b24tdHlwZSBidXR0b24pKSkpKSkpKSkpCiAKKyhlcnQtZGVmdGVzdCBtYW4tdGVzdHMtTWFu LXRyYW5zbGF0ZS1yZWZlcmVuY2VzICgpCisgIChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRl LXJlZmVyZW5jZXMgImJhc2VuYW1lIikKKyAgICAgICAgICAgICAgICAgImJhc2VuYW1lIikpCisg IChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMgImJhc2VuYW1lKDMpIikK KyAgICAgICAgICAgICAgICAgIjMgYmFzZW5hbWUiKSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10 cmFuc2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUoM3YpIikKKyAgICAgICAgICAgICAgICAgIjN2 IGJhc2VuYW1lIikpCisgIChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMg IjtpZCIpCisgICAgICAgICAgICAgICAgICJcXDtpZCIpKQorICAoc2hvdWxkIChlcXVhbCAoTWFu LXRyYW5zbGF0ZS1yZWZlcmVuY2VzICItayBiYXNlbmFtZSIpCisgICAgICAgICAgICAgICAgICIt ayBiYXNlbmFtZSIpKSkKKwogKHByb3ZpZGUgJ21hbi10ZXN0cykKIAogOzs7IG1hbi10ZXN0cy5l bCBlbmRzIGhlcmUKLS0gCjIuNDIuMAoK --=-dHXcW2HU6s+HOY92wqUK--