From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability Date: Thu, 24 Nov 2022 23:53:46 -0800 Message-ID: References: <837czkw7sl.fsf@gnu.org> <8335a8w643.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26564"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 59544 <59544@debbugs.gnu.org>, Eli Zaretskii To: lux Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Nov 25 08:54:19 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oyTXP-0006ln-6N for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 25 Nov 2022 08:54:19 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oyTXA-0007z6-9N; Fri, 25 Nov 2022 02:54:04 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oyTX9-0007yg-0J for bug-gnu-emacs@gnu.org; Fri, 25 Nov 2022 02:54:03 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oyTX8-00004s-NS for bug-gnu-emacs@gnu.org; Fri, 25 Nov 2022 02:54:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oyTX8-0004fh-Ce for bug-gnu-emacs@gnu.org; Fri, 25 Nov 2022 02:54:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 25 Nov 2022 07:54:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59544 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security patch Original-Received: via spool by 59544-submit@debbugs.gnu.org id=B59544.166936283417943 (code B ref 59544); Fri, 25 Nov 2022 07:54:02 +0000 Original-Received: (at 59544) by debbugs.gnu.org; 25 Nov 2022 07:53:54 +0000 Original-Received: from localhost ([127.0.0.1]:33352 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyTX0-0004fK-7f for submit@debbugs.gnu.org; Fri, 25 Nov 2022 02:53:54 -0500 Original-Received: from mail-ot1-f53.google.com ([209.85.210.53]:43746) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oyTWy-0004f7-GN for 59544@debbugs.gnu.org; Fri, 25 Nov 2022 02:53:52 -0500 Original-Received: by mail-ot1-f53.google.com with SMTP id t19-20020a9d7753000000b0066d77a3d474so2176737otl.10 for <59544@debbugs.gnu.org>; Thu, 24 Nov 2022 23:53:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=XP6EYXxxCA6V6zoE+ulC0Zt8e7MYEjb4Is+8C9WwnBc=; b=bc5j+6uh6CcJabU0tJjW6mp42IWASjZN3nw/+Qe8eZXU8WYojNTwYVA5e1mHzLkUEv nO5JWsTvQp3pSIXpQ0EXFYc3npoSOZoiYmanuJguzL/tETIc1UEb+j8fkksCfynKY2Qk t8f9AfouBPCXVbwhwMRH2K/5qTyr5XkjIHrfOkkdGOsSviWi1KsxC8+FVQZt0epATP/d 7gPs1Ddg6ldzEuwGM4T0RNde28ATe3514Wq509sE4yyoK6bnODJdbIIqNTUiqabUXHRh MeExrJxsVOzFcod/7g2as4JhLZMLQF+xHqxzeAlPDcbqChHmG62zowHXO+8/xbab47tV TUHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XP6EYXxxCA6V6zoE+ulC0Zt8e7MYEjb4Is+8C9WwnBc=; b=e4uS2MgDP9VOfuYZMM2ZRNCLUqYezNHSXiZjlbOcwDVZhDeocp8mbqUV6sRJ+mBfrY yzV8mwaUbj38dO1M7uCDYHbB3g/XSXzIrXaPzWkspmRUt0AjsgVQS8SLcOiplRBei3j8 8xKgpATmaSvVIZKRRRQkzLG/NHxEkOPlQMYAUFSp4u0PLIUF1aslhxksQt0LB2dSg9Qh +iLd8DAwWMNN7FVKj7jhlHnzhqVGYVHifcE+UOhN1BRUlO1k/I+SSDmXOt8wkM9RhgCL EzrrGnDzWdDY2TBQ/E0ZSkaqp4Z3YXinQFhSBwvFoyMAefvegUGs1HrJ9fCikesO0o/F XDDw== X-Gm-Message-State: ANoB5pmTMvCIfu7C3djD4NsJ1Ym217hzCcQMYGLMbn4cDgG1RQOQBTZe ADNk9Twgmwi7L73syhwGSHucN+gKApSRW10+Dyw= X-Google-Smtp-Source: AA0mqf4QhFCEyvTrK4y4sB8uZtlpecRayoJ7hmBA0kZAvfMIijTqn3/NBUwE2jB1avSwsZlScFfEFJK6EmHHh4iZStk= X-Received: by 2002:a9d:5c81:0:b0:661:c48b:12db with SMTP id a1-20020a9d5c81000000b00661c48b12dbmr9605902oti.105.1669362826775; Thu, 24 Nov 2022 23:53:46 -0800 (PST) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Thu, 24 Nov 2022 23:53:46 -0800 In-Reply-To: (lux's message of "Fri, 25 Nov 2022 14:41:56 +0800") X-Hashcash: 1:20:221125:59544@debbugs.gnu.org::eQi/vkcm6+buO/Ug:O6HE X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:248968 Archived-At: "lux" writes: > I rewrote this code, not use system(1). Thanks. > From d6bc71f8640efe7caa2657a75c5aa4d8b4f0532c Mon Sep 17 00:00:00 2001 > From: lu4nx > Date: Fri, 25 Nov 2022 14:38:29 +0800 > Subject: [PATCH] * Fixed lib-src/etags.c command execute vulnerability > > --- > lib-src/etags.c | 44 +++++++++++++++++++++++++++++++------------- > 1 file changed, 31 insertions(+), 13 deletions(-) > > diff --git a/lib-src/etags.c b/lib-src/etags.c > index f665f35fa6..1bb352f565 100644 > --- a/lib-src/etags.c > +++ b/lib-src/etags.c > @@ -1387,9 +1387,11 @@ main (int argc, char **argv) > /* From here on, we are in (CTAGS && !cxref_style) */ > if (update) > { > - char *cmd = > - xmalloc (strlen (tagfile) + whatlen_max + > - sizeof "mv..OTAGS;grep -Fv '\t\t' OTAGS >;rm OTAGS"); > + FILE *otags_f, *tag_f; > + int buf_len; > + char *buf; > + char line[512]; Hmm, I'm not sure about the hard-coded 512 character line limit here. ISTR that some people use much longer lines than that. Could we do without it? (As a matter of style, I would just declare the types at first use, which limits their scope and makes the code easier to read. But it's up to you.) > + > for (i = 0; i < current_arg; ++i) > { > switch (argbuffer[i].arg_type) > @@ -1400,17 +1402,33 @@ main (int argc, char **argv) > default: > continue; /* the for loop */ > } > - char *z = stpcpy (cmd, "mv "); > - z = stpcpy (z, tagfile); > - z = stpcpy (z, " OTAGS;grep -Fv '\t"); > - z = stpcpy (z, argbuffer[i].what); > - z = stpcpy (z, "\t' OTAGS >"); > - z = stpcpy (z, tagfile); > - strcpy (z, ";rm OTAGS"); > - if (system (cmd) != EXIT_SUCCESS) > - fatal ("failed to execute shell command"); > + > + otags_f = fopen ("OTAGS", "w"); > + tag_f = fopen (tagfile, "r"); > + > + if (otags_f == NULL) > + pfatal ("OTAGS"); > + > + if (tag_f == NULL) > + pfatal (tagfile); > + > + buf_len = strlen (argbuffer[i].what) + sizeof ("\t\t ") + 1; > + buf = xmalloc (buf_len); > + snprintf (buf, buf_len, "\t%s\t", argbuffer[i].what); > + > + while (fgets (line, sizeof (line), tag_f) != NULL) We should check ferror(tag_f), too and croak if there is a problem. > + { > + if (strstr (line, buf) == NULL) > + fputs (line, otags_f); Missing error handling for fputs. > + } > + > + fclose (otags_f); > + fclose (tag_f); Should be: if (fclose (otags_f) == EOF) pfatal (otags_f); if (fclose (tag_f) == EOF) pfatal (tag_f); > + > + rename ("OTAGS", tagfile); > + unlink ("OTAGS"); Please add error handling for both of these. > } > - free (cmd); > + Nit: I don't think the empty line helps here? > append_to_tagfile = true; > }