GNU bug report logs - #60268
[PATCH] Fix ruby-mode.el local command injection vulnerability

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: lux <lx <at> shellcodes.org>
Subject: bug#60268: closed (Re: bug#60268: [PATCH] Fix ruby-mode.el local
 command injection vulnerability)
Date: Fri, 23 Dec 2022 23:45:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#60268: [PATCH] Fix ruby-mode.el local command injection vulnerability

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 60268 <at> debbugs.gnu.org.

-- 
60268: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60268
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Dmitry Gutov <dgutov <at> yandex.ru>
To: lux <lx <at> shellcodes.org>, 60268-done <at> debbugs.gnu.org
Subject: Re: bug#60268: [PATCH] Fix ruby-mode.el local command injection
 vulnerability
Date: Sat, 24 Dec 2022 01:43:56 +0200

Version: 29.1

On 23/12/2022 06:56, lux wrote:
> In ruby-mode.el, the 'ruby-find-library-file' function have a local
> command injection vulnerability:
> 
> 	(defun ruby-find-library-file (&optional feature-name)
> 	  (interactive)
> 	  ...
> 	  (shell-command-to-string (concat "gem which "
> 	(shell-quote-argument feature-name))) ...)
> 
> The 'ruby-find-library-file' is a interactive function, and bound to the
> shortcut key C-c C-f. Inside the function, the external command 'gem' is
> called through 'shell-command-to-string', but the 'feature-name'
> parameters are not escape.
> 
> So, if the Ruby source file contains the following:
> 
> 	require 'irb;id'
> 
> and typing C-c C-f, there is a risk of executing unexpected orders, for
> example:
> 
> 	(ruby-find-library-file "irb;uname")
> 	#<buffer irb.rb
> 	Linux>
> 
> Although the probability of being exploited is low, but I think it's
> still necessary to avoid this kind of security problem.
> 
> The attachment is the patch file, thanks.

Thanks! Installed.

[Message part 3 (message/rfc822, inline)]

From: lux <lx <at> shellcodes.org>
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
Date: Fri, 23 Dec 2022 12:56:30 +0800

[Message part 4 (text/plain, inline)]

In ruby-mode.el, the 'ruby-find-library-file' function have a local
command injection vulnerability:

	(defun ruby-find-library-file (&optional feature-name)
	  (interactive)
	  ...
	  (shell-command-to-string (concat "gem which "
	(shell-quote-argument feature-name))) ...)

The 'ruby-find-library-file' is a interactive function, and bound to the
shortcut key C-c C-f. Inside the function, the external command 'gem' is
called through 'shell-command-to-string', but the 'feature-name'
parameters are not escape.

So, if the Ruby source file contains the following:

	require 'irb;id'

and typing C-c C-f, there is a risk of executing unexpected orders, for
example:

	(ruby-find-library-file "irb;uname")
	#<buffer irb.rb
	Linux>

Although the probability of being exploited is low, but I think it's
still necessary to avoid this kind of security problem.

The attachment is the patch file, thanks.

[0001-Fix-etags-local-command-injection-vulnerability.patch (text/x-patch, attachment)]

[0001-Fix-ruby-mode.el-local-command-injection-vulnerabili.patch (text/x-patch, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.