From 3c370ff3576fbbad5e6e5245942a6f306c773d71 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 10:06:02 +0000 Subject: [PATCH] import ctags-5.8-23.el8 --- SOURCES/ctags-CVE-2022-4515.patch | 152 ++++++++++++++++++++++++++++++ SPECS/ctags.spec | 8 +- 2 files changed, 159 insertions(+), 1 deletion(-) create mode 100644 SOURCES/ctags-CVE-2022-4515.patch diff --git a/SOURCES/ctags-CVE-2022-4515.patch b/SOURCES/ctags-CVE-2022-4515.patch new file mode 100644 index 0000000..eb916dd --- /dev/null +++ b/SOURCES/ctags-CVE-2022-4515.patch @@ -0,0 +1,152 @@ +commit 2b7cd725d0612f13eb5a461778ca525cd489119b +Author: Masatake YAMATO +Date: Tue Dec 13 05:16:00 2022 +0900 + + main: quote output file name before passing it to system(3) function + + Following command line doesn't work: + + $ ctags -o 'a b' ... + + because a shell lauched from system(3) deals a whitespace between 'a' + and 'b' as a separator. The output file name is passed to system(3) + to run external sort command. + + This commit adds code to put double and single quoets around the output + file name before passing it to system(3). + + The issue is reported by Lorenz Hipp in a private mail. + + This commit is based on e00c55d7a0204dc1d0ae316141323959e1e16162 of + Universal Ctags . + + An example session of RHEL8: + + [yamato@control]/tmp/ctags-5.8% git clone ssh://git@gitlab.consulting.redhat.com:2222/yamato/temp-test.git + Cloning into 'temp-test'... + Enter passphrase for key '/home/yamato/.ssh/id_rsa': + remote: Enumerating objects: 4, done. + remote: Counting objects: 100% (4/4), done. + remote: Compressing objects: 100% (4/4), done. + remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0 + Receiving objects: 100% (4/4), done. + [yamato@control]/tmp/ctags-5.8% cd temp-test + [yamato@control]/tmp/ctags-5.8/temp-test% ls -l ~/.ctags + ls: cannot access '/home/yamato/.ctags': No such file or directory + [yamato@control]/tmp/ctags-5.8/temp-test% ../ctags hello.c + [yamato@control]/tmp/ctags-5.8/temp-test% ls + hello.c 'tags tags; echo Hi $(id -un), your systems is cracked!' + [yamato@control]/tmp/ctags-5.8/temp-test% valgrind ../ctags hello.c + ==2076943== Memcheck, a memory error detector + ==2076943== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. + ==2076943== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info + ==2076943== Command: ../ctags hello.c + ==2076943== + ==2076943== + ==2076943== HEAP SUMMARY: + ==2076943== in use at exit: 0 bytes in 0 blocks + ==2076943== total heap usage: 5,048 allocs, 5,048 frees, 365,311 bytes allocated + ==2076943== + ==2076943== All heap blocks were freed -- no leaks are possible + ==2076943== + ==2076943== For lists of detected and suppressed errors, rerun with: -s + ==2076943== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) + + Signed-off-by: Masatake YAMATO + +diff --git a/sort.c b/sort.c +index 09ba87a..fd60a94 100644 +--- a/sort.c ++++ b/sort.c +@@ -53,17 +53,44 @@ extern void catFile (const char *const name) + # define PE_CONST const + #endif + ++/* ++ Output file name should not be evaluated in system(3) function. ++ The name must be used as is. Quotations are required to block the ++ evaluation. ++ ++ Normal single-quotes are used to quote a cstring: ++ a => 'a' ++ " => '"' ++ ++ If a single-quote is included in the cstring, use double quotes for quoting it. ++ ' => ''"'"'' ++*/ ++static void appendCstringWithQuotes (vString *dest, const char* cstr) ++{ ++ const char* o; ++ ++ vStringPut (dest, '\''); ++ for (o = cstr; *o; o++) ++ { ++ if (*o == '\'') ++ vStringCatS (dest, "'\"'\"'"); ++ else ++ vStringPut (dest, *o); ++ } ++ vStringPut (dest, '\''); ++} ++ + extern void externalSortTags (const boolean toStdout) + { + const char *const sortNormalCommand = "sort -u -o"; + const char *const sortFoldedCommand = "sort -u -f -o"; + const char *sortCommand = + Option.sorted == SO_FOLDSORTED ? sortFoldedCommand : sortNormalCommand; ++# ifndef HAVE_SETENV + PE_CONST char *const sortOrder1 = "LC_COLLATE=C"; + PE_CONST char *const sortOrder2 = "LC_ALL=C"; +- const size_t length = 4 + strlen (sortOrder1) + strlen (sortOrder2) + +- strlen (sortCommand) + (2 * strlen (tagFileName ())); +- char *const cmd = (char *) malloc (length + 1); ++# endif ++ vString *cmd = vStringNew (); + int ret = -1; + + if (cmd != NULL) +@@ -73,20 +100,35 @@ extern void externalSortTags (const boolean toStdout) + #ifdef HAVE_SETENV + setenv ("LC_COLLATE", "C", 1); + setenv ("LC_ALL", "C", 1); +- sprintf (cmd, "%s %s %s", sortCommand, tagFileName (), tagFileName ()); ++ vStringCatS (cmd, sortCommand); ++ vStringPut (cmd, ' '); ++ appendCstringWithQuotes (cmd, tagFileName ()); ++ vStringPut (cmd, ' '); ++ appendCstringWithQuotes (cmd, tagFileName ()); + #else + # ifdef HAVE_PUTENV + putenv (sortOrder1); + putenv (sortOrder2); +- sprintf (cmd, "%s %s %s", sortCommand, tagFileName (), tagFileName ()); ++ vStringCatS (cmd, sortCommand); ++ vStringPut (cmd, ' '); ++ appendCstringWithQuotes (cmd, tagFileName ()); ++ vStringPut (cmd, ' '); ++ appendCstringWithQuotes (cmd, tagFileName ()); + # else +- sprintf (cmd, "%s %s %s %s %s", sortOrder1, sortOrder2, sortCommand, +- tagFileName (), tagFileName ()); ++ vStringCatS (cmd, sortOrder1); ++ vStringPut (cmd, ' '); ++ vStringCatS (cmd, sortOrder2); ++ vStringPut (cmd, ' '); ++ vStringCatS (cmd, sortCommand); ++ vStringPut (cmd, ' '); ++ appendCstringWithQuotes (cmd, tagFileName ()); ++ vStringPut (cmd, ' '); ++ appendCstringWithQuotes (cmd, tagFileName ()); + # endif + #endif +- verbose ("system (\"%s\")\n", cmd); +- ret = system (cmd); +- free (cmd); ++ verbose ("system (\"%s\")\n", vStringValue (cmd)); ++ ret = system (vStringValue (cmd)); ++ vStringDelete (cmd); + + } + if (ret != 0) + diff --git a/SPECS/ctags.spec b/SPECS/ctags.spec index 17b0cd1..a68dfd7 100644 --- a/SPECS/ctags.spec +++ b/SPECS/ctags.spec @@ -1,7 +1,7 @@ Summary: A C programming language indexing and/or cross-reference tool Name: ctags Version: 5.8 -Release: 22%{?dist} +Release: 23%{?dist} License: GPLv2+ and LGPLv2+ and Public Domain Group: Development/Tools URL: http://ctags.sourceforge.net/ @@ -14,6 +14,7 @@ Patch4: ctags-5.8-cssparse.patch Patch5: ctags-5.8-memmove.patch Patch6: ctags-5.8-format-security.patch Patch7: ctags-CVE-2014-7204.patch +Patch8: ctags-CVE-2022-4515.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %description @@ -55,6 +56,7 @@ Note: some command line options is not compatible with GNU etags. %patch5 -p1 -b .memmove %patch6 -p1 -b .fmt-sec %patch7 -p1 -b .CVE-2014-7204 +%patch8 -p1 -b .CVE-2022-4515 %build %configure @@ -98,6 +100,10 @@ rm -rf %{buildroot} %{_mandir}/man1/etags.%{name}.1* %changelog +* Thu Dec 15 2022 Felipe Borges - 5.8-23 +- CVE-2022-4515, arbitrary code execution issue + Resolves: rhbz#2153787 + * Wed Feb 07 2018 Fedora Release Engineering - 5.8-22 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild