import ctags-5.8-23.el8

2023-05-16 06:11:06 +00:00 · 2023-05-16 06:11:06 +00:00 · d8b26e0129
parent 1ede8d4374
commit d8b26e0129
2 changed files with 159 additions and 1 deletions
--- a/SOURCES/ctags-CVE-2022-4515.patch
+++ b/SOURCES/ctags-CVE-2022-4515.patch
@ -0,0 +1,152 @@
+commit 2b7cd725d0612f13eb5a461778ca525cd489119b
+Author: Masatake YAMATO <yamato@redhat.com>
+Date:   Tue Dec 13 05:16:00 2022 +0900
+
+    main: quote output file name before passing it to system(3) function
+    
+    Following command line doesn't work:
+    
+          $ ctags -o 'a b' ...
+    
+    because a shell lauched from system(3) deals a whitespace between 'a'
+    and 'b' as a separator. The output file name is passed to system(3)
+    to run external sort command.
+    
+    This commit adds code to put double and single quoets around the output
+    file name before passing it to system(3).
+    
+    The issue is reported by Lorenz Hipp <lhipp@idealbonn.de> in a private mail.
+    
+    This commit is based on e00c55d7a0204dc1d0ae316141323959e1e16162 of
+    Universal Ctags <https://github.com/universal-ctags/ctags>.
+    
+    An example session of RHEL8:
+    
+      [yamato@control]/tmp/ctags-5.8% git clone ssh://git@gitlab.consulting.redhat.com:2222/yamato/temp-test.git
+      Cloning into 'temp-test'...
+      Enter passphrase for key '/home/yamato/.ssh/id_rsa':
+      remote: Enumerating objects: 4, done.
+      remote: Counting objects: 100% (4/4), done.
+      remote: Compressing objects: 100% (4/4), done.
+      remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
+      Receiving objects: 100% (4/4), done.
+      [yamato@control]/tmp/ctags-5.8% cd temp-test
+      [yamato@control]/tmp/ctags-5.8/temp-test% ls -l ~/.ctags
+      ls: cannot access '/home/yamato/.ctags': No such file or directory
+      [yamato@control]/tmp/ctags-5.8/temp-test% ../ctags hello.c
+      [yamato@control]/tmp/ctags-5.8/temp-test% ls
+       hello.c  'tags tags; echo Hi $(id -un), your systems is cracked!'
+      [yamato@control]/tmp/ctags-5.8/temp-test% valgrind ../ctags hello.c
+      ==2076943== Memcheck, a memory error detector
+      ==2076943== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+      ==2076943== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
+      ==2076943== Command: ../ctags hello.c
+      ==2076943==
+      ==2076943==
+      ==2076943== HEAP SUMMARY:
+      ==2076943==     in use at exit: 0 bytes in 0 blocks
+      ==2076943==   total heap usage: 5,048 allocs, 5,048 frees, 365,311 bytes allocated
+      ==2076943==
+      ==2076943== All heap blocks were freed -- no leaks are possible
+      ==2076943==
+      ==2076943== For lists of detected and suppressed errors, rerun with: -s
+      ==2076943== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
+    
+    Signed-off-by: Masatake YAMATO <yamato@redhat.com>
+
+diff --git a/sort.c b/sort.c
+index 09ba87a..fd60a94 100644
+--- a/sort.c
+++ b/sort.c
+@@ -53,17 +53,44 @@ extern void catFile (const char *const name)
+ # define PE_CONST const
+ #endif
+ 
+/*
+   Output file name should not be evaluated in system(3) function.
+   The name must be used as is. Quotations are required to block the
+   evaluation.
+
+   Normal single-quotes are used to quote a cstring:
+   a => 'a'
+   " => '"'
+
+   If a single-quote is included in the cstring, use double quotes for quoting it.
+   ' => ''"'"''
+*/
+static void appendCstringWithQuotes (vString *dest, const char* cstr)
+{
+	const char* o;
+
+	vStringPut (dest, '\'');
+	for (o = cstr; *o; o++)
+	{
+		if (*o == '\'')
+			vStringCatS (dest, "'\"'\"'");
+		else
+			vStringPut (dest, *o);
+	}
+	vStringPut (dest, '\'');
+}
+
+ extern void externalSortTags (const boolean toStdout)
+ {
+ 	const char *const sortNormalCommand = "sort -u -o";
+ 	const char *const sortFoldedCommand = "sort -u -f -o";
+ 	const char *sortCommand =
+ 		Option.sorted == SO_FOLDSORTED ? sortFoldedCommand : sortNormalCommand;
+# ifndef HAVE_SETENV
+ 	PE_CONST char *const sortOrder1 = "LC_COLLATE=C";
+ 	PE_CONST char *const sortOrder2 = "LC_ALL=C";
+-	const size_t length = 4 + strlen (sortOrder1) + strlen (sortOrder2) +
+-			strlen (sortCommand) + (2 * strlen (tagFileName ()));
+-	char *const cmd = (char *) malloc (length + 1);
+# endif
+	vString *cmd = vStringNew ();
+ 	int ret = -1;
+ 
+ 	if (cmd != NULL)
+@@ -73,20 +100,35 @@ extern void externalSortTags (const boolean toStdout)
+ #ifdef HAVE_SETENV
+ 		setenv ("LC_COLLATE", "C", 1);
+ 		setenv ("LC_ALL", "C", 1);
+-		sprintf (cmd, "%s %s %s", sortCommand, tagFileName (), tagFileName ());
+		vStringCatS (cmd, sortCommand);
+		vStringPut (cmd, ' ');
+		appendCstringWithQuotes (cmd, tagFileName ());
+		vStringPut (cmd, ' ');
+		appendCstringWithQuotes (cmd, tagFileName ());
+ #else
+ # ifdef HAVE_PUTENV
+ 		putenv (sortOrder1);
+ 		putenv (sortOrder2);
+-		sprintf (cmd, "%s %s %s", sortCommand, tagFileName (), tagFileName ());
+		vStringCatS (cmd, sortCommand);
+		vStringPut (cmd, ' ');
+		appendCstringWithQuotes (cmd, tagFileName ());
+		vStringPut (cmd, ' ');
+		appendCstringWithQuotes (cmd, tagFileName ());
+ # else
+-		sprintf (cmd, "%s %s %s %s %s", sortOrder1, sortOrder2, sortCommand,
+-				tagFileName (), tagFileName ());
+		vStringCatS (cmd, sortOrder1);
+		vStringPut (cmd, ' ');
+		vStringCatS (cmd, sortOrder2);
+		vStringPut (cmd, ' ');
+		vStringCatS (cmd, sortCommand);
+		vStringPut (cmd, ' ');
+		appendCstringWithQuotes (cmd, tagFileName ());
+		vStringPut (cmd, ' ');
+		appendCstringWithQuotes (cmd, tagFileName ());
+ # endif
+ #endif
+-		verbose ("system (\"%s\")\n", cmd);
+-		ret = system (cmd);
+-		free (cmd);
+		verbose ("system (\"%s\")\n", vStringValue (cmd));
+		ret = system (vStringValue (cmd));
+		vStringDelete (cmd);
+ 
+ 	}
+ 	if (ret != 0)
+
--- a/SPECS/ctags.spec
+++ b/SPECS/ctags.spec
@ -1,7 +1,7 @@
 Summary: A C programming language indexing and/or cross-reference tool
 Name: ctags
 Version: 5.8
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2+ and LGPLv2+ and Public Domain
 Group: Development/Tools
 URL: http://ctags.sourceforge.net/
@ -14,6 +14,7 @@ Patch4: ctags-5.8-cssparse.patch
 Patch5: ctags-5.8-memmove.patch
 Patch6: ctags-5.8-format-security.patch
 Patch7: ctags-CVE-2014-7204.patch
+Patch8: ctags-CVE-2022-4515.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 %description
@ -55,6 +56,7 @@ Note: some command line options is not compatible with GNU etags.
 %patch5 -p1 -b .memmove
 %patch6 -p1 -b .fmt-sec
 %patch7 -p1 -b .CVE-2014-7204
+%patch8 -p1 -b .CVE-2022-4515

 %build
 %configure
@ -98,6 +100,10 @@ rm -rf %{buildroot}
 %{_mandir}/man1/etags.%{name}.1*

 %changelog
+* Thu Dec 15 2022 Felipe Borges <feborges@redhat.com> - 5.8-23
+- CVE-2022-4515, arbitrary code execution issue
+  Resolves: rhbz#2153787
+
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.8-22
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild