GNU bug report logs -
#59544
[PATCH] Fixed lib-src/etags.c command execute vulnerability
Previous Next
Reported by: "lux" <lx <at> shellcodes.org>
Date: Thu, 24 Nov 2022 15:28:02 UTC
Severity: normal
Tags: patch, security
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
which was filed against the emacs package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 59544 <at> debbugs.gnu.org.
--
59544: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59544
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
> Date: Sun, 27 Nov 2022 23:44:07 +0800
> From: lux <lx <at> shellcodes.org>
>
> On Sun, 27 Nov 2022 16:15:38 +0200
> Eli Zaretskii <eliz <at> gnu.org> wrote:
>
> > But something is wrong with the 2 new tests: they fail. I replaced
> > the "good" files with the ones I get on my system, but the test fails
> > on another system. Could you please look into the test failures and
> > find a fix?
>
> Hi, I think because the order of the tag data of the files generated by
> different OS environments is different.
>
> I sorted the file using the sort command, test ok.
>
> ctags_update: CTAGS.good_update ${infiles}
> head -n 100 CTAGS.good_update > CTAGS
> tail -n 100 CTAGS.good_update >> CTAGS
> ${RUN} ${CTAGS_PROG} -o CTAGS -u ${ARGS}
> diff -u --suppress-common-lines --width=80 <(sort
> CTAGS.good_update) <(sort CTAGS)
>
> cp crlf CTAGS
> ${RUN} ${CTAGS_PROG} -o CTAGS -u ${ARGS}
> diff -u --suppress-common-lines --width=80 <(sort
> CTAGS.good_crlf) <(sort CTAGS)
Thanks, I installed a variant of this using more portable commands.
And with that, I'm closing this bug.
[Message part 3 (message/rfc822, inline)]
[Message part 4 (text/plain, inline)]
Hi, In ctags (Emacs <= 28.2.50) has a command execute vulnerability.
When using the -u parameter, ctags will execute external shell commands by calling the system() function, if there are special file names, unexpected shell commands may be executed. The example is as follows:
$ ls
etags.c
$ /usr/local/bin/ctags *.c
$ touch "'| uname -a #.c"
$ /usr/local/bin/ctags -u *.c
Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
^C/usr/local/bin/ctags: failed to execute shell command
The vulnerability occurs in the following code:
char *z = stpcpy (cmd, "mv ");
z = stpcpy (z, tagfile);
z = stpcpy (z, " OTAGS;grep -Fv '\t");
z = stpcpy (z, argbuffer[i].what);
z = stpcpy (z, "\t' OTAGS >");
z = stpcpy (z, tagfile);
strcpy (z, ";rm OTAGS");
if (system (cmd) != EXIT_SUCCESS)
fatal ("failed to execute shell command");
Because the file name is not checked, the file name is used as a concatenated string:
mv tags OTAGS;grep -Fv ' '| uname -a #.c ' OTAGS >tags;rm OTAGS
Email attachments are patches.
[Message part 5 (text/html, inline)]
[0001-lib-src-etags.c-Fix-ctags-command-execute-vulnerabil.patch (application/octet-stream, attachment)]
This bug report was last modified 2 years and 129 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.