From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: "lux" Newsgroups: gmane.emacs.bugs Subject: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability Date: Fri, 25 Nov 2022 14:41:56 +0800 Message-ID: References: <837czkw7sl.fsf@gnu.org> <8335a8w643.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_638063B4_108548B0_73130A6F" Content-Transfer-Encoding: 8Bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="2360"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 59544 <59544@debbugs.gnu.org> To: "Eli Zaretskii" , "Stefan Kangas" Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Nov 25 07:43:21 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oySQi-0000QJ-Ik for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 25 Nov 2022 07:43:20 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oySQT-0004fc-2o; Fri, 25 Nov 2022 01:43:05 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oySQQ-0004fT-68 for bug-gnu-emacs@gnu.org; Fri, 25 Nov 2022 01:43:03 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oySQP-000636-UY for bug-gnu-emacs@gnu.org; Fri, 25 Nov 2022 01:43:01 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oySQP-0002g8-QA for bug-gnu-emacs@gnu.org; Fri, 25 Nov 2022 01:43:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: "lux" Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 25 Nov 2022 06:43:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59544 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security patch Original-Received: via spool by 59544-submit@debbugs.gnu.org id=B59544.166935853410238 (code B ref 59544); Fri, 25 Nov 2022 06:43:01 +0000 Original-Received: (at 59544) by debbugs.gnu.org; 25 Nov 2022 06:42:14 +0000 Original-Received: from localhost ([127.0.0.1]:33136 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oySPe-0002f2-CI for submit@debbugs.gnu.org; Fri, 25 Nov 2022 01:42:14 -0500 Original-Received: from out162-62-58-211.mail.qq.com ([162.62.58.211]:46779) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oySPb-0002ei-MZ for 59544@debbugs.gnu.org; Fri, 25 Nov 2022 01:42:13 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1669358517; bh=U0XjhOcNQyAWBLsAgEjg9szQZAumnYMrjUQC2nLm8jU=; h=In-Reply-To:References:From:To:Cc:Subject:Date; b=K2IPM6+a1DPSX3n779KrRWeEipb9jx9okq9sffPe3kOMztmZu/zox22FdhNW1HcFK I8ECE3mhGC8cPmB4jNNtDDyOahdo+MJmLFwqMN1yLJbXYDQxXBPHrvMi+Tb1r4sK6z L+6cxvNdFAY6WSlETPBpWQnKiJfDEV0yh32Uwsvs= X-QQ-FEAT: oHWrrGTW1dAz+QFKvuUnj/W0ULeT1nZf X-QQ-SSF: 00000000000000F0000000000000 X-QQ-XMAILINFO: N7pVCJF/rxxT2YY5hKZ70dBM4t9VD+NMvffgczxyGA/qZDTkoH95Vg8YhIOxG+ WqjMe4rqi7FLmXAvdJGO8fBestCZMP1uLXwfK7yty5DNB4aPI5d1sq/TXiYaO63maKc9hlb74Qt8F w1MAvW4OstlorRBF26hCi2hD6xS7Z7uJqWO7nL6Ll5ygj07dJ6+wBMC5YwjJYcfoXbNeosfIiA/UQ kRajJrMvToUeiv81aCWvUm6ssTAbKaK6j8DDw97n5N4Nav6GLkQ5BzcS8w0aMVz9KkzhpgEbhrIlY 0D7A3XsGaOkyXm9KAx/3NwhGM+ZNuEfqSGA8bzSUkzf4RsNeeaQ0vwlAublpMex2HJ8u40W6WSi9Y TgzDxp8itJspKc2vj3BBSs0Hg0hsX7l59C42xZ40cHcSwY2bryHfzafH/ypwTSJhW+wDo9hwJzY7Q xiu5NxE1TOo4uVUKRpzx34AD7+VUKZDXnnqXDEf4jG0MCVJf6LXU2E4rxhavfqsIEfat0A40cVmEr qcTUcEMA7DMZh5efBWEscCTxX6rUaEX1mYw+QG7vf6yITpMo9Ccgvu5YZ7d5uKTxpD0GRi+CUTyEa Q0GByhlSb2ItPMCQJW0yWkDic3QLKYf7lFGRok1A/1BkT3Ro7bXECr2sAjeh7VkeoKgD5eORsM7IM bR+C6q6vm0Vp37fRo6i9wd2H4QOsQuYzos1vFH4UMWxBQK9GGW1w1UbjuPTZvrcA3NNkQEEkvztxD sFvZc9IQyC5HX6VbfmIrJqGcPCc5ryCi9/bRFlEZczbQMCEXOV5TVAg9x6zAQbfrkScbDSBPtIhCX 1laSDXXD3Y9or3oqVK/3j/S2SAQ0xw X-HAS-ATTACH: no X-QQ-BUSINESS-ORIGIN: 2 X-Originating-IP: 1.14.122.99 In-Reply-To: <8335a8w643.fsf@gnu.org> X-QQ-mid: webmail543t1669358516t129695 X-Priority: 3 X-QQ-MIME: TCMime 1.0 by Tencent X-Mailer: QQMail 2.x X-QQ-Mailer: QQMail 2.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:248960 Archived-At: This is a multi-part message in MIME format. ------=_NextPart_638063B4_108548B0_73130A6F Content-Type: multipart/alternative; boundary="----=_NextPart_638063B4_108548B0_71B8F764"; ------=_NextPart_638063B4_108548B0_71B8F764 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 Jmd0OyBUaGF0J3MgYSBwb3NzaWJpbGl0eSwgeWVzLiZuYnNwOyBBbHRob3VnaCBJIGRvdWJ0 IHRoYXQgcGVvcGxlIGFyZSBzdGlsbCB1c2luZw0KJmd0OyBjdGFncyB0aGF0IGNvbWVzIHdp dGggRW1hY3MgKHRoaXMgY29kZSBmcmFnbWVudCBydW5zIG9ubHkgaW4gY3RhZ3MsIG5vdCBp bg0KJmd0OyBldGFncykuDQoNCg0KSSByZXdyb3RlIHRoaXMgY29kZSwgbm90IHVzZSBzeXN0 ZW0oMSku ------=_NextPart_638063B4_108548B0_71B8F764 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: base64 PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNo YXJzZXQ9R0IxODAzMCI+PGRpdj4mZ3Q7IFRoYXQncyBhIHBvc3NpYmlsaXR5LCB5ZXMuJm5i c3A7IEFsdGhvdWdoIEkgZG91YnQgdGhhdCBwZW9wbGUgYXJlIHN0aWxsIHVzaW5nPC9kaXY+ PGRpdiBzdHlsZT0icG9zaXRpb246IHJlbGF0aXZlOyI+Jmd0OyBjdGFncyB0aGF0IGNvbWVz IHdpdGggRW1hY3MgKHRoaXMgY29kZSBmcmFnbWVudCBydW5zIG9ubHkgaW4gY3RhZ3MsIG5v dCBpbjxicj4mZ3Q7IGV0YWdzKS48L2Rpdj48ZGl2IHN0eWxlPSJwb3NpdGlvbjogcmVsYXRp dmU7Ij48YnI+PC9kaXY+PGRpdiBzdHlsZT0icG9zaXRpb246IHJlbGF0aXZlOyI+SSByZXdy b3RlIHRoaXMgY29kZSwgbm90IHVzZSBzeXN0ZW0oMSkuPC9kaXY+ ------=_NextPart_638063B4_108548B0_71B8F764-- ------=_NextPart_638063B4_108548B0_73130A6F Content-Type: application/octet-stream; charset="ISO-8859-1"; name="0001-Fixed-lib-src-etags.c-command-execute-vulnerability.patch" Content-Disposition: attachment; filename="0001-Fixed-lib-src-etags.c-command-execute-vulnerability.patch" Content-Transfer-Encoding: base64 RnJvbSBkNmJjNzFmODY0MGVmZTdjYWEyNjU3YTc1YzVhYTRkOGI0ZjA1MzJjIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBsdTRueCA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6 IEZyaSwgMjUgTm92IDIwMjIgMTQ6Mzg6MjkgKzA4MDAKU3ViamVjdDogW1BBVENIXSAqIEZp eGVkIGxpYi1zcmMvZXRhZ3MuYyBjb21tYW5kIGV4ZWN1dGUgdnVsbmVyYWJpbGl0eQoKLS0t CiBsaWItc3JjL2V0YWdzLmMgfCA0NCArKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr LS0tLS0tLS0tLS0tLQogMSBmaWxlIGNoYW5nZWQsIDMxIGluc2VydGlvbnMoKyksIDEzIGRl bGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL2xpYi1zcmMvZXRhZ3MuYyBiL2xpYi1zcmMvZXRh Z3MuYwppbmRleCBmNjY1ZjM1ZmE2Li4xYmIzNTJmNTY1IDEwMDY0NAotLS0gYS9saWItc3Jj L2V0YWdzLmMKKysrIGIvbGliLXNyYy9ldGFncy5jCkBAIC0xMzg3LDkgKzEzODcsMTEgQEAg bWFpbiAoaW50IGFyZ2MsIGNoYXIgKiphcmd2KQogICAvKiBGcm9tIGhlcmUgb24sIHdlIGFy ZSBpbiAoQ1RBR1MgJiYgIWN4cmVmX3N0eWxlKSAqLwogICBpZiAodXBkYXRlKQogICAgIHsK LSAgICAgIGNoYXIgKmNtZCA9Ci0JeG1hbGxvYyAoc3RybGVuICh0YWdmaWxlKSArIHdoYXRs ZW5fbWF4ICsKLQkJIHNpemVvZiAibXYuLk9UQUdTO2dyZXAgLUZ2ICdcdFx0JyBPVEFHUyA+ O3JtIE9UQUdTIik7CisgICAgICBGSUxFICpvdGFnc19mLCAqdGFnX2Y7CisgICAgICBpbnQg YnVmX2xlbjsKKyAgICAgIGNoYXIgKmJ1ZjsKKyAgICAgIGNoYXIgbGluZVs1MTJdOworCiAg ICAgICBmb3IgKGkgPSAwOyBpIDwgY3VycmVudF9hcmc7ICsraSkKIAl7CiAJICBzd2l0Y2gg KGFyZ2J1ZmZlcltpXS5hcmdfdHlwZSkKQEAgLTE0MDAsMTcgKzE0MDIsMzMgQEAgbWFpbiAo aW50IGFyZ2MsIGNoYXIgKiphcmd2KQogCSAgICBkZWZhdWx0OgogCSAgICAgIGNvbnRpbnVl OwkJLyogdGhlIGZvciBsb29wICovCiAJICAgIH0KLQkgIGNoYXIgKnogPSBzdHBjcHkgKGNt ZCwgIm12ICIpOwotCSAgeiA9IHN0cGNweSAoeiwgdGFnZmlsZSk7Ci0JICB6ID0gc3RwY3B5 ICh6LCAiIE9UQUdTO2dyZXAgLUZ2ICdcdCIpOwotCSAgeiA9IHN0cGNweSAoeiwgYXJnYnVm ZmVyW2ldLndoYXQpOwotCSAgeiA9IHN0cGNweSAoeiwgIlx0JyBPVEFHUyA+Iik7Ci0JICB6 ID0gc3RwY3B5ICh6LCB0YWdmaWxlKTsKLQkgIHN0cmNweSAoeiwgIjtybSBPVEFHUyIpOwot CSAgaWYgKHN5c3RlbSAoY21kKSAhPSBFWElUX1NVQ0NFU1MpCi0JICAgIGZhdGFsICgiZmFp bGVkIHRvIGV4ZWN1dGUgc2hlbGwgY29tbWFuZCIpOworCisgICAgICAgICAgb3RhZ3NfZiA9 IGZvcGVuICgiT1RBR1MiLCAidyIpOworICAgICAgICAgIHRhZ19mID0gZm9wZW4gKHRhZ2Zp bGUsICJyIik7CisKKyAgICAgICAgICBpZiAob3RhZ3NfZiA9PSBOVUxMKQorICAgICAgICAg ICAgcGZhdGFsICgiT1RBR1MiKTsKKworICAgICAgICAgIGlmICh0YWdfZiA9PSBOVUxMKQor ICAgICAgICAgICAgcGZhdGFsICh0YWdmaWxlKTsKKworICAgICAgICAgIGJ1Zl9sZW4gPSBz dHJsZW4gKGFyZ2J1ZmZlcltpXS53aGF0KSArIHNpemVvZiAoIlx0XHQgIikgKyAxOworICAg ICAgICAgIGJ1ZiA9IHhtYWxsb2MgKGJ1Zl9sZW4pOworICAgICAgICAgIHNucHJpbnRmIChi dWYsIGJ1Zl9sZW4sICJcdCVzXHQiLCBhcmdidWZmZXJbaV0ud2hhdCk7CisKKyAgICAgICAg ICB3aGlsZSAoZmdldHMgKGxpbmUsIHNpemVvZiAobGluZSksIHRhZ19mKSAhPSBOVUxMKQor ICAgICAgICAgICAgeworICAgICAgICAgICAgICBpZiAoc3Ryc3RyIChsaW5lLCBidWYpID09 IE5VTEwpCisgICAgICAgICAgICAgICAgZnB1dHMgKGxpbmUsIG90YWdzX2YpOworICAgICAg ICAgICAgfQorCisgICAgICAgICAgZmNsb3NlIChvdGFnc19mKTsKKyAgICAgICAgICBmY2xv c2UgKHRhZ19mKTsKKworICAgICAgICAgIHJlbmFtZSAoIk9UQUdTIiwgdGFnZmlsZSk7Cisg ICAgICAgICAgdW5saW5rICgiT1RBR1MiKTsKIAl9Ci0gICAgICBmcmVlIChjbWQpOworCiAg ICAgICBhcHBlbmRfdG9fdGFnZmlsZSA9IHRydWU7CiAgICAgfQogCi0tIAoyLjM4LjEKCg== ------=_NextPart_638063B4_108548B0_73130A6F--