GNU bug report logs - #60268
[PATCH] Fix ruby-mode.el local command injection vulnerability

Previous Next

Package: emacs;

Reported by: lux <lx <at> shellcodes.org>

Date: Fri, 23 Dec 2022 04:57:01 UTC

Severity: normal

Tags: patch

Fixed in version 29.1

Done: Dmitry Gutov <dgutov <at> yandex.ru>

Bug is archived. No further changes may be made.

Full log

Message #13 received at 60268-done <at> debbugs.gnu.org (full text, mbox):

From: Dmitry Gutov <dgutov <at> yandex.ru>
To: lux <lx <at> shellcodes.org>, 60268-done <at> debbugs.gnu.org
Subject: Re: bug#60268: [PATCH] Fix ruby-mode.el local command injection
 vulnerability
Date: Sat, 24 Dec 2022 01:43:56 +0200

Version: 29.1

On 23/12/2022 06:56, lux wrote:
> In ruby-mode.el, the 'ruby-find-library-file' function have a local
> command injection vulnerability:
> 
> 	(defun ruby-find-library-file (&optional feature-name)
> 	  (interactive)
> 	  ...
> 	  (shell-command-to-string (concat "gem which "
> 	(shell-quote-argument feature-name))) ...)
> 
> The 'ruby-find-library-file' is a interactive function, and bound to the
> shortcut key C-c C-f. Inside the function, the external command 'gem' is
> called through 'shell-command-to-string', but the 'feature-name'
> parameters are not escape.
> 
> So, if the Ruby source file contains the following:
> 
> 	require 'irb;id'
> 
> and typing C-c C-f, there is a risk of executing unexpected orders, for
> example:
> 
> 	(ruby-find-library-file "irb;uname")
> 	#<buffer irb.rb
> 	Linux>
> 
> Although the probability of being exploited is low, but I think it's
> still necessary to avoid this kind of security problem.
> 
> The attachment is the patch file, thanks.

Thanks! Installed.
This bug report was last modified 2 years and 152 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.