GNU bug report logs - #59544
[PATCH] Fixed lib-src/etags.c command execute vulnerability

Previous Next

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: lux <lx <at> shellcodes.org>
Cc: 59544 <at> debbugs.gnu.org, stefankangas <at> gmail.com
Subject: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
Date: Sat, 26 Nov 2022 16:49:56 +0200

> Date: Sat, 26 Nov 2022 22:26:22 +0800
> Cc: stefankangas <at> gmail.com, 59544 <at> debbugs.gnu.org
> From: lux <lx <at> shellcodes.org>
> 
> Yes, but I think it violates the original author's intention, and it 
> seems that there is no occasion to use this parameter in etags?
> 
> /*
>   * Read a line of text from `stream' into `lbp', excluding the
>   * newline or CR-NL, if any.  Return the number of characters read from
>   * `stream', which is the length of the line including the newline.
>   *
>   * On DOS or Windows we do not count the CR character, if any before the
>   * NL, in the returned length; this mirrors the behavior of Emacs on those
>   * platforms (for text files, it translates CR-NL to NL as it reads in the
>   * file).

The above is about the character counts written in TAGS tables, which are
produced by etags, not by ctags.  Files produced by crags only count lines,
not characters.  So the above comment is not relevant to ctags.

More importantly, the original tags file could have been written by a
utility other than our ctags, and I don't think we should change the EOL
format of such a file when we update it.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.