From: "lux" <lx@shellcodes.org>
To: 59544@debbugs.gnu.org
Cc: lux <lx@shellcodes.org>
Subject: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
Date: Thu, 24 Nov 2022 23:27:13 +0800 [thread overview]
Message-ID: <tencent_624F1E3EBC2BD88CD37906B526AE46F60E05@qq.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1710 bytes --]
Hi, In ctags (Emacs <= 28.2.50) has a command execute vulnerability.
When using the -u parameter, ctags will execute external shell commands by calling the system() function, if there are special file names, unexpected shell commands may be executed. The example is as follows:
$ ls
etags.c
$ /usr/local/bin/ctags *.c
$ touch "'| uname -a #.c"
$ /usr/local/bin/ctags -u *.c
Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
^C/usr/local/bin/ctags: failed to execute shell command
The vulnerability occurs in the following code:
char *z = stpcpy (cmd, "mv ");
z = stpcpy (z, tagfile);
z = stpcpy (z, " OTAGS;grep -Fv '\t");
z = stpcpy (z, argbuffer[i].what);
z = stpcpy (z, "\t' OTAGS >");
z = stpcpy (z, tagfile);
strcpy (z, ";rm OTAGS");
if (system (cmd) != EXIT_SUCCESS)
fatal ("failed to execute shell command");
Because the file name is not checked, the file name is used as a concatenated string:
mv tags OTAGS;grep -Fv ' '| uname -a #.c ' OTAGS >tags;rm OTAGS
Email attachments are patches.
[-- Attachment #1.2: Type: text/html, Size: 2110 bytes --]
[-- Attachment #2: 0001-lib-src-etags.c-Fix-ctags-command-execute-vulnerabil.patch --]
[-- Type: application/octet-stream, Size: 1385 bytes --]
From e21e6d684fbf679f22b69652708e91632c90618b Mon Sep 17 00:00:00 2001
From: lu4nx <lx@shellcodes.org>
Date: Thu, 24 Nov 2022 23:24:54 +0800
Subject: [PATCH] * lib-src/etags.c: Fix ctags command execute vulnerability
---
lib-src/etags.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/lib-src/etags.c b/lib-src/etags.c
index f665f35fa6..7830db6451 100644
--- a/lib-src/etags.c
+++ b/lib-src/etags.c
@@ -157,6 +157,32 @@ memcpyz (void *dest, void const *src, ptrdiff_t len)
*e = '\0';
}
+static bool
+filename_has_shell_str(char *s)
+{
+ if (!s)
+ return false;
+
+ char *p = s;
+ while (*p != '\0')
+ {
+ switch (*p)
+ {
+ case '\'':
+ case '"':
+ case '&':
+ case '|':
+ case ';':
+ case '`':
+ case '$':
+ return true;
+ }
+ p++;
+ }
+
+ return false;
+}
+
static bool
streq (char const *s, char const *t)
{
@@ -1400,6 +1426,13 @@ main (int argc, char **argv)
default:
continue; /* the for loop */
}
+
+ if ( filename_has_shell_str (argbuffer[i].what) )
+ {
+ printf ("Warning, ignore this file: %s\n", argbuffer[i].what);
+ continue;
+ }
+
char *z = stpcpy (cmd, "mv ");
z = stpcpy (z, tagfile);
z = stpcpy (z, " OTAGS;grep -Fv '\t");
--
2.38.1
next reply other threads:[~2022-11-24 15:27 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-24 15:27 lux [this message]
2022-11-24 18:01 ` bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability Eli Zaretskii
2022-11-24 18:12 ` Stefan Kangas
2022-11-24 18:38 ` Eli Zaretskii
2022-11-25 3:45 ` lux
2022-11-25 6:41 ` lux
2022-11-25 7:53 ` Stefan Kangas
2022-11-25 8:38 ` lux
2022-11-25 8:56 ` Stefan Kangas
2022-11-25 12:19 ` Eli Zaretskii
2022-11-25 12:18 ` Eli Zaretskii
2022-11-25 16:02 ` lux
2022-11-26 0:43 ` Stefan Kangas
2022-11-26 2:30 ` lux
2022-11-26 3:09 ` lux
2022-11-26 9:47 ` Stefan Kangas
2022-11-26 10:14 ` Eli Zaretskii
[not found] ` <tencent_A9399566146BF66A0CEFAEE4B3C285839109@qq.com>
2022-11-26 12:28 ` Eli Zaretskii
2022-11-26 13:03 ` Stefan Kangas
2022-11-26 14:15 ` Eli Zaretskii
[not found] ` <tencent_F5BD82AD38AB67E06AB86AE8EE5EE577C309@qq.com>
2022-11-26 14:30 ` Eli Zaretskii
2022-11-26 13:21 ` Eli Zaretskii
[not found] ` <tencent_63F9E4F0AB6043CE8C198E1AAA9AD9BB1A07@qq.com>
2022-11-26 14:17 ` Eli Zaretskii
[not found] ` <tencent_0B66566A766A94EE00E45DC327831B387709@qq.com>
2022-11-26 14:49 ` Eli Zaretskii
[not found] ` <tencent_B9EE8C5FCD5A8DCF9D8AFC56787AF00AE706@qq.com>
2022-11-26 17:11 ` Eli Zaretskii
2022-11-27 3:05 ` lux
2022-11-27 6:35 ` lux
2022-11-27 14:15 ` Eli Zaretskii
2022-11-27 14:31 ` Eli Zaretskii
[not found] ` <tencent_67B00527E64C548D4ECDF55D977C75B84B06@qq.com>
2022-11-27 18:07 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_624F1E3EBC2BD88CD37906B526AE46F60E05@qq.com \
--to=lx@shellcodes.org \
--cc=59544@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).