From: "lux" <lx@shellcodes.org>
To: "Eli Zaretskii" <eliz@gnu.org>, "Stefan Kangas" <stefankangas@gmail.com>
Cc: 59544 <59544@debbugs.gnu.org>
Subject: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
Date: Fri, 25 Nov 2022 14:41:56 +0800 [thread overview]
Message-ID: <tencent_BA67F66A766B02EE74E407C2D58269381B09@qq.com> (raw)
In-Reply-To: <8335a8w643.fsf@gnu.org>
[-- Attachment #1.1: Type: text/plain, Size: 222 bytes --]
> That's a possibility, yes. Although I doubt that people are still using
> ctags that comes with Emacs (this code fragment runs only in ctags, not in
> etags).
I rewrote this code, not use system(1).
[-- Attachment #1.2: Type: text/html, Size: 417 bytes --]
[-- Attachment #2: 0001-Fixed-lib-src-etags.c-command-execute-vulnerability.patch --]
[-- Type: application/octet-stream, Size: 2104 bytes --]
From d6bc71f8640efe7caa2657a75c5aa4d8b4f0532c Mon Sep 17 00:00:00 2001
From: lu4nx <lx@shellcodes.org>
Date: Fri, 25 Nov 2022 14:38:29 +0800
Subject: [PATCH] * Fixed lib-src/etags.c command execute vulnerability
---
lib-src/etags.c | 44 +++++++++++++++++++++++++++++++-------------
1 file changed, 31 insertions(+), 13 deletions(-)
diff --git a/lib-src/etags.c b/lib-src/etags.c
index f665f35fa6..1bb352f565 100644
--- a/lib-src/etags.c
+++ b/lib-src/etags.c
@@ -1387,9 +1387,11 @@ main (int argc, char **argv)
/* From here on, we are in (CTAGS && !cxref_style) */
if (update)
{
- char *cmd =
- xmalloc (strlen (tagfile) + whatlen_max +
- sizeof "mv..OTAGS;grep -Fv '\t\t' OTAGS >;rm OTAGS");
+ FILE *otags_f, *tag_f;
+ int buf_len;
+ char *buf;
+ char line[512];
+
for (i = 0; i < current_arg; ++i)
{
switch (argbuffer[i].arg_type)
@@ -1400,17 +1402,33 @@ main (int argc, char **argv)
default:
continue; /* the for loop */
}
- char *z = stpcpy (cmd, "mv ");
- z = stpcpy (z, tagfile);
- z = stpcpy (z, " OTAGS;grep -Fv '\t");
- z = stpcpy (z, argbuffer[i].what);
- z = stpcpy (z, "\t' OTAGS >");
- z = stpcpy (z, tagfile);
- strcpy (z, ";rm OTAGS");
- if (system (cmd) != EXIT_SUCCESS)
- fatal ("failed to execute shell command");
+
+ otags_f = fopen ("OTAGS", "w");
+ tag_f = fopen (tagfile, "r");
+
+ if (otags_f == NULL)
+ pfatal ("OTAGS");
+
+ if (tag_f == NULL)
+ pfatal (tagfile);
+
+ buf_len = strlen (argbuffer[i].what) + sizeof ("\t\t ") + 1;
+ buf = xmalloc (buf_len);
+ snprintf (buf, buf_len, "\t%s\t", argbuffer[i].what);
+
+ while (fgets (line, sizeof (line), tag_f) != NULL)
+ {
+ if (strstr (line, buf) == NULL)
+ fputs (line, otags_f);
+ }
+
+ fclose (otags_f);
+ fclose (tag_f);
+
+ rename ("OTAGS", tagfile);
+ unlink ("OTAGS");
}
- free (cmd);
+
append_to_tagfile = true;
}
--
2.38.1
next prev parent reply other threads:[~2022-11-25 6:41 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-24 15:27 bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability lux
2022-11-24 18:01 ` Eli Zaretskii
2022-11-24 18:12 ` Stefan Kangas
2022-11-24 18:38 ` Eli Zaretskii
2022-11-25 3:45 ` lux
2022-11-25 6:41 ` lux [this message]
2022-11-25 7:53 ` Stefan Kangas
2022-11-25 8:38 ` lux
2022-11-25 8:56 ` Stefan Kangas
2022-11-25 12:19 ` Eli Zaretskii
2022-11-25 12:18 ` Eli Zaretskii
2022-11-25 16:02 ` lux
2022-11-26 0:43 ` Stefan Kangas
2022-11-26 2:30 ` lux
2022-11-26 3:09 ` lux
2022-11-26 9:47 ` Stefan Kangas
2022-11-26 10:14 ` Eli Zaretskii
[not found] ` <tencent_A9399566146BF66A0CEFAEE4B3C285839109@qq.com>
2022-11-26 12:28 ` Eli Zaretskii
2022-11-26 13:03 ` Stefan Kangas
2022-11-26 14:15 ` Eli Zaretskii
[not found] ` <tencent_F5BD82AD38AB67E06AB86AE8EE5EE577C309@qq.com>
2022-11-26 14:30 ` Eli Zaretskii
2022-11-26 13:21 ` Eli Zaretskii
[not found] ` <tencent_63F9E4F0AB6043CE8C198E1AAA9AD9BB1A07@qq.com>
2022-11-26 14:17 ` Eli Zaretskii
[not found] ` <tencent_0B66566A766A94EE00E45DC327831B387709@qq.com>
2022-11-26 14:49 ` Eli Zaretskii
[not found] ` <tencent_B9EE8C5FCD5A8DCF9D8AFC56787AF00AE706@qq.com>
2022-11-26 17:11 ` Eli Zaretskii
2022-11-27 3:05 ` lux
2022-11-27 6:35 ` lux
2022-11-27 14:15 ` Eli Zaretskii
2022-11-27 14:31 ` Eli Zaretskii
[not found] ` <tencent_67B00527E64C548D4ECDF55D977C75B84B06@qq.com>
2022-11-27 18:07 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_BA67F66A766B02EE74E407C2D58269381B09@qq.com \
--to=lx@shellcodes.org \
--cc=59544@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.