GNU bug report logs - #59817
[PATCH] Fix etags local command injection vulnerability

Previous Next

Package: emacs;

Reported by: lux <lx <at> shellcodes.org>

Date: Sun, 4 Dec 2022 13:52:01 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: lux <lx <at> shellcodes.org>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: stefankangas <at> gmail.com, 59817 <at> debbugs.gnu.org
Subject: bug#59817: [PATCH] Fix etags local command injection vulnerability
Date: Tue, 6 Dec 2022 21:11:35 +0800

[Message part 1 (text/plain, inline)]
On Tue, 06 Dec 2022 14:55:09 +0200
Eli Zaretskii <eliz <at> gnu.org> wrote:

> The "MSDOS || DOS_NT" case also needs a small change:
> 
> >  	  char *cmd = concat (cmd1, "\" > ", tmp_name);  
> 
> This doesn't quote tmp_name; it should.

Because double quotes have been used here, I have not reproduced this
vulnerability in Windows, so I have not dealt:

$ touch "etags.c\" && ipconfig \".z"
$ ./etags.exe "etags.c\" && ipconfig \".z"
etags.c" && ipconfig ".z: Invalid argument
$ ./etags.exe *
etags.exe: skipping inclusion of TAGS in self.
etags.c" && ipconfig ".z: Invalid argument

> > +static char*  
>              ^^
> There should be a space before "*".

done.

> 
> > +      if (*p == '\'')
> > +        {
> > +          new_str[i+1] = '\\';
> > +          new_str[i+2] = '\'';
> > +          new_str[i+3] = '\'';
> > +          i += 3;  
> 
> I don't understand why you are adding ''\'' and not just \'.
> Wouldn't the latter work for some reason?
> 

Because the single quote escape is: '\''

$ echo ''\''hello world'\'''
'hello world'
$ echo 'I'\''m a poor man'
I'm a poor man



[0001-Fix-etags-local-command-injection-vulnerability.patch (text/x-patch, attachment)]
This bug report was last modified 2 years and 168 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.