GNU bug report logs - #59817
[PATCH] Fix etags local command injection vulnerability

Previous Next

Package: emacs;

Reported by: lux <lx <at> shellcodes.org>

Date: Sun, 4 Dec 2022 13:52:01 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Stefan Kangas <stefankangas <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>, lux <lx <at> shellcodes.org>
Cc: 59817 <at> debbugs.gnu.org
Subject: bug#59817: [PATCH] Fix etags local command injection vulnerability
Date: Sun, 4 Dec 2022 08:27:14 -0800

Eli Zaretskii <eliz <at> gnu.org> writes:

> Thanks, but no, thanks.  This cure is worse than the disease.  Let's please
> find simpler, more robust solutions.  It TMPDIR is a problem, let's use a
> file whose name is hard-coded in the etags.c source, or quote the name when
> we pass it to the shell.  If we suspect someone could disguise shell
> commands as file names, let's quote the file names we pass to the shell with
> '...' to prevent that.  Etc. etc. -- let's use simple solutions that don't
> drastically change the code.

With single quotes, every single quote character also needs to be quoted
so you can't just use a file named "';rm -rf $HOME;'".

So you need to substitute every single quote character with something like

    ' => '"'"'

I'm not sure if tricks to escape it will remain, but "man sh" promises:

   Single Quotes
     Enclosing characters in single quotes preserves the literal meaning
     of all the characters (except single quotes, making it impossible
     to put single-quotes in a single-quoted string).

The safest option is to just not call system, of course.
This bug report was last modified 2 years and 168 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.