bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability

[Eli Zaretskii]

> Cc: lux <lx@shellcodes.org>
> From: "lux" <lx@shellcodes.org>
> Date: Thu, 24 Nov 2022 23:27:13 +0800
> 
> When using the -u parameter, ctags will execute external shell commands by 
> calling the system() function,
> if there are special file names, unexpected shell commands may be executed. 
> The example is as follows:
> 
> $ ls
> etags.c
> $ /usr/local/bin/ctags *.c
> $ touch "'| uname -a #.c"
> $ /usr/local/bin/ctags -u *.c
> Linux mypc 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 
> UTC 2022 x86_64
> x86_64 x86_64 GNU/Linux
> 
> ^C/usr/local/bin/ctags: failed to execute shell command
> 
> The vulnerability occurs in the following code:
> 
> char *z = stpcpy (cmd, "mv ");                   
> z = stpcpy (z, tagfile);                         
> z = stpcpy (z, " OTAGS;grep -Fv '\t");           
> z = stpcpy (z, argbuffer[i].what);               
> z = stpcpy (z, "\t' OTAGS >");                   
> z = stpcpy (z, tagfile);                         
> strcpy (z, ";rm OTAGS");                         
> if (system (cmd) != EXIT_SUCCESS)                
>   fatal ("failed to execute shell command");     
> 
> Because the file name is not checked, the file name is used as a concatenated 
> string:
> 
> mv tags OTAGS;grep -Fv ' '| uname -a #.c ' OTAGS >tags;rm OTAGS
> 
> Email attachments are patches.

Thanks, but the solution you propose for this is too drastic: it in effect
rejects legitimate file names just because they have characters which look
"suspicious".  I think we need a more accurate test, which will not produce
false positives so easily.  Or maybe we need to ask the user for
confirmation instead of skipping the files with suspicious names.