GNU bug report logs - #60268
[PATCH] Fix ruby-mode.el local command injection vulnerability

Previous Next

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: lux <lx <at> shellcodes.org>
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
Date: Fri, 23 Dec 2022 12:56:30 +0800

[Message part 1 (text/plain, inline)]

In ruby-mode.el, the 'ruby-find-library-file' function have a local
command injection vulnerability:

	(defun ruby-find-library-file (&optional feature-name)
	  (interactive)
	  ...
	  (shell-command-to-string (concat "gem which "
	(shell-quote-argument feature-name))) ...)

The 'ruby-find-library-file' is a interactive function, and bound to the
shortcut key C-c C-f. Inside the function, the external command 'gem' is
called through 'shell-command-to-string', but the 'feature-name'
parameters are not escape.

So, if the Ruby source file contains the following:

	require 'irb;id'

and typing C-c C-f, there is a risk of executing unexpected orders, for
example:

	(ruby-find-library-file "irb;uname")
	#<buffer irb.rb
	Linux>

Although the probability of being exploited is low, but I think it's
still necessary to avoid this kind of security problem.

The attachment is the patch file, thanks.

[0001-Fix-etags-local-command-injection-vulnerability.patch (text/x-patch, attachment)]

[0001-Fix-ruby-mode.el-local-command-injection-vulnerabili.patch (text/x-patch, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.