From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability Date: Thu, 24 Nov 2022 20:01:46 +0200 Message-ID: <837czkw7sl.fsf@gnu.org> References: Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="32607"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 59544@debbugs.gnu.org, lx@shellcodes.org To: "lux" Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Nov 24 19:02:30 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oyGYP-0008HP-Tq for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 24 Nov 2022 19:02:30 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oyGYA-0007gZ-33; Thu, 24 Nov 2022 13:02:14 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oyGY1-0007cV-T4 for bug-gnu-emacs@gnu.org; Thu, 24 Nov 2022 13:02:07 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oyGXy-0001C8-KV for bug-gnu-emacs@gnu.org; Thu, 24 Nov 2022 13:02:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oyGXy-0006BA-0x for bug-gnu-emacs@gnu.org; Thu, 24 Nov 2022 13:02:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 24 Nov 2022 18:02:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59544 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 59544-submit@debbugs.gnu.org id=B59544.166931289623722 (code B ref 59544); Thu, 24 Nov 2022 18:02:01 +0000 Original-Received: (at 59544) by debbugs.gnu.org; 24 Nov 2022 18:01:36 +0000 Original-Received: from localhost ([127.0.0.1]:59974 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyGXY-0006AY-CE for submit@debbugs.gnu.org; Thu, 24 Nov 2022 13:01:36 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:54046) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyGXW-0006AL-QU for 59544@debbugs.gnu.org; Thu, 24 Nov 2022 13:01:35 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oyGXP-00017t-FA; Thu, 24 Nov 2022 13:01:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=hxNE0mXgAn2wGcHztaOSGGw7W2nWoA2L1cDMzaAoU7U=; b=G1RLBeKsz/bT 6omqbsXgo4NNDXhJ7LHfEVVMM9Qhi6vt7g3Hp9Cw5U3XVmpWa41kVapqNSf0z/UlNXEJle0Ymgoei nQRO3LhTcJ0AEVtJWDdo/gfLHEepEOgnfPZG9k1iItAL4VolB0pqbex3kaQJhv5FWhOLGl6wt+j/d K3yAhO4XXXTC+Ch3L8TSWXqovFPfqpJQH7Cf6XdylKa/57MBnCjQMcsIblMkTaTC2KX/Ub6LZz7kO n1ulIrBJkae6SvWXEkcDGx97dEDvknqgJWKLj+z9bS1xfLtNK44pC/f9s4G9GTu2TXv/gvLQ8cRrD BNTTjmuYavA2y+zYKXpPzQ==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oyGXO-00079K-SU; Thu, 24 Nov 2022 13:01:27 -0500 In-Reply-To: (lx@shellcodes.org) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:248884 Archived-At: > Cc: lux > From: "lux" > Date: Thu, 24 Nov 2022 23:27:13 +0800 > > When using the -u parameter, ctags will execute external shell commands by calling the system() function, > if there are special file names, unexpected shell commands may be executed. The example is as follows: > > $ ls > etags.c > $ /usr/local/bin/ctags *.c > $ touch "'| uname -a #.c" > $ /usr/local/bin/ctags -u *.c > Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 > x86_64 x86_64 GNU/Linux > > ^C/usr/local/bin/ctags: failed to execute shell command > > The vulnerability occurs in the following code: > > char *z = stpcpy (cmd, "mv "); > z = stpcpy (z, tagfile); > z = stpcpy (z, " OTAGS;grep -Fv '\t"); > z = stpcpy (z, argbuffer[i].what); > z = stpcpy (z, "\t' OTAGS >"); > z = stpcpy (z, tagfile); > strcpy (z, ";rm OTAGS"); > if (system (cmd) != EXIT_SUCCESS) > fatal ("failed to execute shell command"); > > Because the file name is not checked, the file name is used as a concatenated string: > > mv tags OTAGS;grep -Fv ' '| uname -a #.c ' OTAGS >tags;rm OTAGS > > Email attachments are patches. Thanks, but the solution you propose for this is too drastic: it in effect rejects legitimate file names just because they have characters which look "suspicious". I think we need a more accurate test, which will not produce false positives so easily. Or maybe we need to ask the user for confirmation instead of skipping the files with suspicious names.