import ctags-5.8-23.el8
This commit is contained in:
parent
fb71ec2c09
commit
3c370ff357
152
SOURCES/ctags-CVE-2022-4515.patch
Normal file
152
SOURCES/ctags-CVE-2022-4515.patch
Normal file
@ -0,0 +1,152 @@
|
||||
commit 2b7cd725d0612f13eb5a461778ca525cd489119b
|
||||
Author: Masatake YAMATO <yamato@redhat.com>
|
||||
Date: Tue Dec 13 05:16:00 2022 +0900
|
||||
|
||||
main: quote output file name before passing it to system(3) function
|
||||
|
||||
Following command line doesn't work:
|
||||
|
||||
$ ctags -o 'a b' ...
|
||||
|
||||
because a shell lauched from system(3) deals a whitespace between 'a'
|
||||
and 'b' as a separator. The output file name is passed to system(3)
|
||||
to run external sort command.
|
||||
|
||||
This commit adds code to put double and single quoets around the output
|
||||
file name before passing it to system(3).
|
||||
|
||||
The issue is reported by Lorenz Hipp <lhipp@idealbonn.de> in a private mail.
|
||||
|
||||
This commit is based on e00c55d7a0204dc1d0ae316141323959e1e16162 of
|
||||
Universal Ctags <https://github.com/universal-ctags/ctags>.
|
||||
|
||||
An example session of RHEL8:
|
||||
|
||||
[yamato@control]/tmp/ctags-5.8% git clone ssh://git@gitlab.consulting.redhat.com:2222/yamato/temp-test.git
|
||||
Cloning into 'temp-test'...
|
||||
Enter passphrase for key '/home/yamato/.ssh/id_rsa':
|
||||
remote: Enumerating objects: 4, done.
|
||||
remote: Counting objects: 100% (4/4), done.
|
||||
remote: Compressing objects: 100% (4/4), done.
|
||||
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
|
||||
Receiving objects: 100% (4/4), done.
|
||||
[yamato@control]/tmp/ctags-5.8% cd temp-test
|
||||
[yamato@control]/tmp/ctags-5.8/temp-test% ls -l ~/.ctags
|
||||
ls: cannot access '/home/yamato/.ctags': No such file or directory
|
||||
[yamato@control]/tmp/ctags-5.8/temp-test% ../ctags hello.c
|
||||
[yamato@control]/tmp/ctags-5.8/temp-test% ls
|
||||
hello.c 'tags tags; echo Hi $(id -un), your systems is cracked!'
|
||||
[yamato@control]/tmp/ctags-5.8/temp-test% valgrind ../ctags hello.c
|
||||
==2076943== Memcheck, a memory error detector
|
||||
==2076943== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
|
||||
==2076943== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
|
||||
==2076943== Command: ../ctags hello.c
|
||||
==2076943==
|
||||
==2076943==
|
||||
==2076943== HEAP SUMMARY:
|
||||
==2076943== in use at exit: 0 bytes in 0 blocks
|
||||
==2076943== total heap usage: 5,048 allocs, 5,048 frees, 365,311 bytes allocated
|
||||
==2076943==
|
||||
==2076943== All heap blocks were freed -- no leaks are possible
|
||||
==2076943==
|
||||
==2076943== For lists of detected and suppressed errors, rerun with: -s
|
||||
==2076943== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
|
||||
|
||||
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
|
||||
|
||||
diff --git a/sort.c b/sort.c
|
||||
index 09ba87a..fd60a94 100644
|
||||
--- a/sort.c
|
||||
+++ b/sort.c
|
||||
@@ -53,17 +53,44 @@ extern void catFile (const char *const name)
|
||||
# define PE_CONST const
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ Output file name should not be evaluated in system(3) function.
|
||||
+ The name must be used as is. Quotations are required to block the
|
||||
+ evaluation.
|
||||
+
|
||||
+ Normal single-quotes are used to quote a cstring:
|
||||
+ a => 'a'
|
||||
+ " => '"'
|
||||
+
|
||||
+ If a single-quote is included in the cstring, use double quotes for quoting it.
|
||||
+ ' => ''"'"''
|
||||
+*/
|
||||
+static void appendCstringWithQuotes (vString *dest, const char* cstr)
|
||||
+{
|
||||
+ const char* o;
|
||||
+
|
||||
+ vStringPut (dest, '\'');
|
||||
+ for (o = cstr; *o; o++)
|
||||
+ {
|
||||
+ if (*o == '\'')
|
||||
+ vStringCatS (dest, "'\"'\"'");
|
||||
+ else
|
||||
+ vStringPut (dest, *o);
|
||||
+ }
|
||||
+ vStringPut (dest, '\'');
|
||||
+}
|
||||
+
|
||||
extern void externalSortTags (const boolean toStdout)
|
||||
{
|
||||
const char *const sortNormalCommand = "sort -u -o";
|
||||
const char *const sortFoldedCommand = "sort -u -f -o";
|
||||
const char *sortCommand =
|
||||
Option.sorted == SO_FOLDSORTED ? sortFoldedCommand : sortNormalCommand;
|
||||
+# ifndef HAVE_SETENV
|
||||
PE_CONST char *const sortOrder1 = "LC_COLLATE=C";
|
||||
PE_CONST char *const sortOrder2 = "LC_ALL=C";
|
||||
- const size_t length = 4 + strlen (sortOrder1) + strlen (sortOrder2) +
|
||||
- strlen (sortCommand) + (2 * strlen (tagFileName ()));
|
||||
- char *const cmd = (char *) malloc (length + 1);
|
||||
+# endif
|
||||
+ vString *cmd = vStringNew ();
|
||||
int ret = -1;
|
||||
|
||||
if (cmd != NULL)
|
||||
@@ -73,20 +100,35 @@ extern void externalSortTags (const boolean toStdout)
|
||||
#ifdef HAVE_SETENV
|
||||
setenv ("LC_COLLATE", "C", 1);
|
||||
setenv ("LC_ALL", "C", 1);
|
||||
- sprintf (cmd, "%s %s %s", sortCommand, tagFileName (), tagFileName ());
|
||||
+ vStringCatS (cmd, sortCommand);
|
||||
+ vStringPut (cmd, ' ');
|
||||
+ appendCstringWithQuotes (cmd, tagFileName ());
|
||||
+ vStringPut (cmd, ' ');
|
||||
+ appendCstringWithQuotes (cmd, tagFileName ());
|
||||
#else
|
||||
# ifdef HAVE_PUTENV
|
||||
putenv (sortOrder1);
|
||||
putenv (sortOrder2);
|
||||
- sprintf (cmd, "%s %s %s", sortCommand, tagFileName (), tagFileName ());
|
||||
+ vStringCatS (cmd, sortCommand);
|
||||
+ vStringPut (cmd, ' ');
|
||||
+ appendCstringWithQuotes (cmd, tagFileName ());
|
||||
+ vStringPut (cmd, ' ');
|
||||
+ appendCstringWithQuotes (cmd, tagFileName ());
|
||||
# else
|
||||
- sprintf (cmd, "%s %s %s %s %s", sortOrder1, sortOrder2, sortCommand,
|
||||
- tagFileName (), tagFileName ());
|
||||
+ vStringCatS (cmd, sortOrder1);
|
||||
+ vStringPut (cmd, ' ');
|
||||
+ vStringCatS (cmd, sortOrder2);
|
||||
+ vStringPut (cmd, ' ');
|
||||
+ vStringCatS (cmd, sortCommand);
|
||||
+ vStringPut (cmd, ' ');
|
||||
+ appendCstringWithQuotes (cmd, tagFileName ());
|
||||
+ vStringPut (cmd, ' ');
|
||||
+ appendCstringWithQuotes (cmd, tagFileName ());
|
||||
# endif
|
||||
#endif
|
||||
- verbose ("system (\"%s\")\n", cmd);
|
||||
- ret = system (cmd);
|
||||
- free (cmd);
|
||||
+ verbose ("system (\"%s\")\n", vStringValue (cmd));
|
||||
+ ret = system (vStringValue (cmd));
|
||||
+ vStringDelete (cmd);
|
||||
|
||||
}
|
||||
if (ret != 0)
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: A C programming language indexing and/or cross-reference tool
|
||||
Name: ctags
|
||||
Version: 5.8
|
||||
Release: 22%{?dist}
|
||||
Release: 23%{?dist}
|
||||
License: GPLv2+ and LGPLv2+ and Public Domain
|
||||
Group: Development/Tools
|
||||
URL: http://ctags.sourceforge.net/
|
||||
@ -14,6 +14,7 @@ Patch4: ctags-5.8-cssparse.patch
|
||||
Patch5: ctags-5.8-memmove.patch
|
||||
Patch6: ctags-5.8-format-security.patch
|
||||
Patch7: ctags-CVE-2014-7204.patch
|
||||
Patch8: ctags-CVE-2022-4515.patch
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
%description
|
||||
@ -55,6 +56,7 @@ Note: some command line options is not compatible with GNU etags.
|
||||
%patch5 -p1 -b .memmove
|
||||
%patch6 -p1 -b .fmt-sec
|
||||
%patch7 -p1 -b .CVE-2014-7204
|
||||
%patch8 -p1 -b .CVE-2022-4515
|
||||
|
||||
%build
|
||||
%configure
|
||||
@ -98,6 +100,10 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man1/etags.%{name}.1*
|
||||
|
||||
%changelog
|
||||
* Thu Dec 15 2022 Felipe Borges <feborges@redhat.com> - 5.8-23
|
||||
- CVE-2022-4515, arbitrary code execution issue
|
||||
Resolves: rhbz#2153787
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.8-22
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user