GNU bug report logs - #59817
[PATCH] Fix etags local command injection vulnerability

Previous Next

Package: emacs;

Reported by: lux <lx <at> shellcodes.org>

Date: Sun, 4 Dec 2022 13:52:01 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Stefan Kangas <stefankangas <at> gmail.com>
Cc: lx <at> shellcodes.org, 59817 <at> debbugs.gnu.org
Subject: bug#59817: [PATCH] Fix etags local command injection vulnerability
Date: Sun, 04 Dec 2022 19:04:15 +0200

> From: Stefan Kangas <stefankangas <at> gmail.com>
> Date: Sun, 4 Dec 2022 08:27:14 -0800
> Cc: 59817 <at> debbugs.gnu.org
> 
> Eli Zaretskii <eliz <at> gnu.org> writes:
> 
> > Thanks, but no, thanks.  This cure is worse than the disease.  Let's please
> > find simpler, more robust solutions.  It TMPDIR is a problem, let's use a
> > file whose name is hard-coded in the etags.c source, or quote the name when
> > we pass it to the shell.  If we suspect someone could disguise shell
> > commands as file names, let's quote the file names we pass to the shell with
> > '...' to prevent that.  Etc. etc. -- let's use simple solutions that don't
> > drastically change the code.
> 
> With single quotes, every single quote character also needs to be quoted
> so you can't just use a file named "';rm -rf $HOME;'".

Yes.  But still, doing so is hardly rocket science, and it leaves the
general design of etags.c intact.

> The safest option is to just not call system, of course.

I'd rather not go there unless it was really necessary.
This bug report was last modified 2 years and 167 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.