GNU bug report logs -
#59544
[PATCH] Fixed lib-src/etags.c command execute vulnerability
Previous Next
Reported by: "lux" <lx <at> shellcodes.org>
Date: Thu, 24 Nov 2022 15:28:02 UTC
Severity: normal
Tags: patch, security
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Hi, In ctags (Emacs <= 28.2.50) has a command execute vulnerability.
When using the -u parameter, ctags will execute external shell commands by calling the system() function, if there are special file names, unexpected shell commands may be executed. The example is as follows:
$ ls
etags.c
$ /usr/local/bin/ctags *.c
$ touch "'| uname -a #.c"
$ /usr/local/bin/ctags -u *.c
Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
^C/usr/local/bin/ctags: failed to execute shell command
The vulnerability occurs in the following code:
char *z = stpcpy (cmd, "mv ");
z = stpcpy (z, tagfile);
z = stpcpy (z, " OTAGS;grep -Fv '\t");
z = stpcpy (z, argbuffer[i].what);
z = stpcpy (z, "\t' OTAGS >");
z = stpcpy (z, tagfile);
strcpy (z, ";rm OTAGS");
if (system (cmd) != EXIT_SUCCESS)
fatal ("failed to execute shell command");
Because the file name is not checked, the file name is used as a concatenated string:
mv tags OTAGS;grep -Fv ' '| uname -a #.c ' OTAGS >tags;rm OTAGS
Email attachments are patches.
[Message part 2 (text/html, inline)]
[0001-lib-src-etags.c-Fix-ctags-command-execute-vulnerabil.patch (application/octet-stream, attachment)]
This bug report was last modified 2 years and 129 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.