GNU bug report logs -
#59544
[PATCH] Fixed lib-src/etags.c command execute vulnerability
Previous Next
Reported by: "lux" <lx <at> shellcodes.org>
Date: Thu, 24 Nov 2022 15:28:02 UTC
Severity: normal
Tags: patch, security
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Sun, 27 Nov 2022 20:07:54 +0200
with message-id <83edtop8xx.fsf <at> gnu.org>
and subject line Re: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
has caused the debbugs.gnu.org bug report #59544,
regarding [PATCH] Fixed lib-src/etags.c command execute vulnerability
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
59544: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59544
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hi, In ctags (Emacs <= 28.2.50) has a command execute vulnerability.
When using the -u parameter, ctags will execute external shell commands by calling the system() function, if there are special file names, unexpected shell commands may be executed. The example is as follows:
$ ls
etags.c
$ /usr/local/bin/ctags *.c
$ touch "'| uname -a #.c"
$ /usr/local/bin/ctags -u *.c
Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
^C/usr/local/bin/ctags: failed to execute shell command
The vulnerability occurs in the following code:
char *z = stpcpy (cmd, "mv ");
z = stpcpy (z, tagfile);
z = stpcpy (z, " OTAGS;grep -Fv '\t");
z = stpcpy (z, argbuffer[i].what);
z = stpcpy (z, "\t' OTAGS >");
z = stpcpy (z, tagfile);
strcpy (z, ";rm OTAGS");
if (system (cmd) != EXIT_SUCCESS)
fatal ("failed to execute shell command");
Because the file name is not checked, the file name is used as a concatenated string:
mv tags OTAGS;grep -Fv ' '| uname -a #.c ' OTAGS >tags;rm OTAGS
Email attachments are patches.
[Message part 4 (text/html, inline)]
[0001-lib-src-etags.c-Fix-ctags-command-execute-vulnerabil.patch (application/octet-stream, attachment)]
[Message part 6 (message/rfc822, inline)]
> Date: Sun, 27 Nov 2022 23:44:07 +0800
> From: lux <lx <at> shellcodes.org>
>
> On Sun, 27 Nov 2022 16:15:38 +0200
> Eli Zaretskii <eliz <at> gnu.org> wrote:
>
> > But something is wrong with the 2 new tests: they fail. I replaced
> > the "good" files with the ones I get on my system, but the test fails
> > on another system. Could you please look into the test failures and
> > find a fix?
>
> Hi, I think because the order of the tag data of the files generated by
> different OS environments is different.
>
> I sorted the file using the sort command, test ok.
>
> ctags_update: CTAGS.good_update ${infiles}
> head -n 100 CTAGS.good_update > CTAGS
> tail -n 100 CTAGS.good_update >> CTAGS
> ${RUN} ${CTAGS_PROG} -o CTAGS -u ${ARGS}
> diff -u --suppress-common-lines --width=80 <(sort
> CTAGS.good_update) <(sort CTAGS)
>
> cp crlf CTAGS
> ${RUN} ${CTAGS_PROG} -o CTAGS -u ${ARGS}
> diff -u --suppress-common-lines --width=80 <(sort
> CTAGS.good_crlf) <(sort CTAGS)
Thanks, I installed a variant of this using more portable commands.
And with that, I'm closing this bug.
This bug report was last modified 2 years and 129 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.