GNU bug report logs - #60268
[PATCH] Fix ruby-mode.el local command injection vulnerability

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Dmitry Gutov <dgutov <at> yandex.ru>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#60268: closed ([PATCH] Fix ruby-mode.el local command
 injection vulnerability)
Date: Fri, 23 Dec 2022 23:45:01 +0000

[Message part 1 (text/plain, inline)]

Your message dated Sat, 24 Dec 2022 01:43:56 +0200
with message-id <62cd11da-7400-ba4a-23a8-cc7afc120aae <at> yandex.ru>
and subject line Re: bug#60268: [PATCH] Fix ruby-mode.el local command injection vulnerability
has caused the debbugs.gnu.org bug report #60268,
regarding [PATCH] Fix ruby-mode.el local command injection vulnerability
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
60268: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60268
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: lux <lx <at> shellcodes.org>
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
Date: Fri, 23 Dec 2022 12:56:30 +0800

[Message part 3 (text/plain, inline)]

In ruby-mode.el, the 'ruby-find-library-file' function have a local
command injection vulnerability:

	(defun ruby-find-library-file (&optional feature-name)
	  (interactive)
	  ...
	  (shell-command-to-string (concat "gem which "
	(shell-quote-argument feature-name))) ...)

The 'ruby-find-library-file' is a interactive function, and bound to the
shortcut key C-c C-f. Inside the function, the external command 'gem' is
called through 'shell-command-to-string', but the 'feature-name'
parameters are not escape.

So, if the Ruby source file contains the following:

	require 'irb;id'

and typing C-c C-f, there is a risk of executing unexpected orders, for
example:

	(ruby-find-library-file "irb;uname")
	#<buffer irb.rb
	Linux>

Although the probability of being exploited is low, but I think it's
still necessary to avoid this kind of security problem.

The attachment is the patch file, thanks.

[0001-Fix-etags-local-command-injection-vulnerability.patch (text/x-patch, attachment)]

[0001-Fix-ruby-mode.el-local-command-injection-vulnerabili.patch (text/x-patch, attachment)]

[Message part 6 (message/rfc822, inline)]

From: Dmitry Gutov <dgutov <at> yandex.ru>
To: lux <lx <at> shellcodes.org>, 60268-done <at> debbugs.gnu.org
Subject: Re: bug#60268: [PATCH] Fix ruby-mode.el local command injection
 vulnerability
Date: Sat, 24 Dec 2022 01:43:56 +0200

Version: 29.1

On 23/12/2022 06:56, lux wrote:
> In ruby-mode.el, the 'ruby-find-library-file' function have a local
> command injection vulnerability:
> 
> 	(defun ruby-find-library-file (&optional feature-name)
> 	  (interactive)
> 	  ...
> 	  (shell-command-to-string (concat "gem which "
> 	(shell-quote-argument feature-name))) ...)
> 
> The 'ruby-find-library-file' is a interactive function, and bound to the
> shortcut key C-c C-f. Inside the function, the external command 'gem' is
> called through 'shell-command-to-string', but the 'feature-name'
> parameters are not escape.
> 
> So, if the Ruby source file contains the following:
> 
> 	require 'irb;id'
> 
> and typing C-c C-f, there is a risk of executing unexpected orders, for
> example:
> 
> 	(ruby-find-library-file "irb;uname")
> 	#<buffer irb.rb
> 	Linux>
> 
> Although the probability of being exploited is low, but I think it's
> still necessary to avoid this kind of security problem.
> 
> The attachment is the patch file, thanks.

Thanks! Installed.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.