openbsd/ports
1
0
Fork 0
mirror of https://github.com/openbsd/ports.git synced 2026-06-17 23:13:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Backport security fixes from the emacs-28 branch

Browse Source 
Fixes for CVE-2022-45939, CVE-2022-48337, CVE-2022-48338, CVE-2022-48339
Prevent arbitrary command execution in ctags/etags handling and
htmlfontify/ruby modes.

From lux @ shellcodes dot org
This commit is contained in:
jca
2023-03-14 13:09:48 +00:00
parent 709e0638ac
commit 79bebe7a39
4 changed files with 363 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
editors/emacs/Makefile
+1
View File
@@ -1,6 +1,7 @@
COMMENT= GNU editor: extensible, customizable, self-documenting
VERSION= 28.2
REVISION= 0
DISTNAME= emacs-${VERSION}
CATEGORIES= editors
editors/emacs/patches/patch-lib-src_etags_c
+329
View File
@@ -0,0 +1,329 @@
"Fixed ctags local command execute vulnerability" (CVE-2022-45939)
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-28&id=5d05ea803e9996c4c1edbe0fa0f6f5b05d2ffc87
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51
"Fix etags local command injection vulnerability" (CVE-2022-48337)
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-28&id=e339926272a598bd9ee7e02989c1662b89e64cf0
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c
Index: lib-src/etags.c
--- lib-src/etags.c.orig
+++ lib-src/etags.c
@@ -382,7 +382,7 @@ static void just_read_file (FILE *);
static language *get_language_from_langname (const char *);
static void readline (linebuffer *, FILE *);
-static ptrdiff_t readline_internal (linebuffer *, FILE *, char const *);
+static ptrdiff_t readline_internal (linebuffer *, FILE *, char const *, const bool);
static bool nocase_tail (const char *);
static void get_tag (char *, char **);
static void get_lispy_tag (char *);
@@ -406,7 +406,10 @@ static void free_fdesc (fdesc *);
static void pfnote (char *, bool, char *, ptrdiff_t, intmax_t, intmax_t);
static void invalidate_nodes (fdesc *, node **);
static void put_entries (node *);
+static void clean_matched_file_tag (char const * const, char const * const);
+static char *escape_shell_arg_string (char *);
+static void do_move_file (const char *, const char *);
static char *concat (const char *, const char *, const char *);
static char *skip_spaces (char *);
static char *skip_non_spaces (char *);
@@ -1339,7 +1342,7 @@ main (int argc, char **argv)
if (parsing_stdin)
fatal ("cannot parse standard input "
"AND read file names from it");
- while (readline_internal (&filename_lb, stdin, "-") > 0)
+ while (readline_internal (&filename_lb, stdin, "-", false) > 0)
process_file_name (filename_lb.buffer, lang);
}
else
@@ -1387,9 +1390,6 @@ main (int argc, char **argv)
/* From here on, we are in (CTAGS && !cxref_style) */
if (update)
{
- char *cmd =
- xmalloc (strlen (tagfile) + whatlen_max +
- sizeof "mv..OTAGS;grep -Fv '\t\t' OTAGS >;rm OTAGS");
for (i = 0; i < current_arg; ++i)
{
switch (argbuffer[i].arg_type)
@@ -1400,17 +1400,8 @@ main (int argc, char **argv)
default:
continue; /* the for loop */
}
- char *z = stpcpy (cmd, "mv ");
- z = stpcpy (z, tagfile);
- z = stpcpy (z, " OTAGS;grep -Fv '\t");
- z = stpcpy (z, argbuffer[i].what);
- z = stpcpy (z, "\t' OTAGS >");
- z = stpcpy (z, tagfile);
- strcpy (z, ";rm OTAGS");
- if (system (cmd) != EXIT_SUCCESS)
- fatal ("failed to execute shell command");
+ clean_matched_file_tag (tagfile, argbuffer[i].what);
}
- free (cmd);
append_to_tagfile = true;
}
@@ -1439,7 +1430,52 @@ main (int argc, char **argv)
return EXIT_SUCCESS;
}
+/*
+ * Equivalent to: mv tags OTAGS;grep -Fv ' filename ' OTAGS >tags;rm OTAGS
+ */
+static void
+clean_matched_file_tag (const char* tagfile, const char* match_file_name)
+{
+ FILE *otags_f = fopen ("OTAGS", "wb");
+ FILE *tag_f = fopen (tagfile, "rb");
+ if (otags_f == NULL)
+ pfatal ("OTAGS");
+
+ if (tag_f == NULL)
+ pfatal (tagfile);
+
+ int buf_len = strlen (match_file_name) + sizeof ("\t\t ") + 1;
+ char *buf = xmalloc (buf_len);
+ snprintf (buf, buf_len, "\t%s\t", match_file_name);
+
+ linebuffer line;
+ linebuffer_init (&line);
+ while (readline_internal (&line, tag_f, tagfile, true) > 0)
+ {
+ if (ferror (tag_f))
+ pfatal (tagfile);
+
+ if (strstr (line.buffer, buf) == NULL)
+ {
+ fprintf (otags_f, "%s\n", line.buffer);
+ if (ferror (tag_f))
+ pfatal (tagfile);
+ }
+ }
+ free (buf);
+ free (line.buffer);
+
+ if (fclose (otags_f) == EOF)
+ pfatal ("OTAGS");
+
+ if (fclose (tag_f) == EOF)
+ pfatal (tagfile);
+
+ do_move_file ("OTAGS", tagfile);
+ return;
+}
+
/*
* Return a compressor given the file name. If EXTPTR is non-zero,
* return a pointer into FILE where the compressor-specific
@@ -1669,13 +1705,18 @@ process_file_name (char *file, language *lang)
else
{
#if MSDOS || defined (DOS_NT)
- char *cmd1 = concat (compr->command, " \"", real_name);
- char *cmd = concat (cmd1, "\" > ", tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") + strlen (real_name) + strlen (tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command, real_name, tmp_name);
#else
- char *cmd1 = concat (compr->command, " '", real_name);
- char *cmd = concat (cmd1, "' > ", tmp_name);
+ char *new_real_name = escape_shell_arg_string (real_name);
+ char *new_tmp_name = escape_shell_arg_string (tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" > ") + strlen (new_real_name) + strlen (new_tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name, new_tmp_name);
+ free (new_real_name);
+ free (new_tmp_name);
#endif
- free (cmd1);
inf = (system (cmd) == -1
? NULL
: fopen (tmp_name, "r" FOPEN_BINARY));
@@ -1822,7 +1863,7 @@ find_entries (FILE *inf)
/* Else look for sharp-bang as the first two characters. */
if (parser == NULL
- && readline_internal (&lb, inf, infilename) > 0
+ && readline_internal (&lb, inf, infilename, false) > 0
&& lb.len >= 2
&& lb.buffer[0] == '#'
&& lb.buffer[1] == '!')
@@ -6861,7 +6902,7 @@ analyze_regex (char *regex_arg)
if (regexfp == NULL)
pfatal (regexfile);
linebuffer_init (&regexbuf);
- while (readline_internal (&regexbuf, regexfp, regexfile) > 0)
+ while (readline_internal (&regexbuf, regexfp, regexfile, false) > 0)
analyze_regex (regexbuf.buffer);
free (regexbuf.buffer);
if (fclose (regexfp) != 0)
@@ -7209,11 +7250,13 @@ get_lispy_tag (register char *bp)
/*
* Read a line of text from `stream' into `lbp', excluding the
- * newline or CR-NL, if any. Return the number of characters read from
- * `stream', which is the length of the line including the newline.
+ * newline or CR-NL (if `leave_cr` is false), if any. Return the
+ * number of characters read from `stream', which is the length
+ * of the line including the newline.
*
- * On DOS or Windows we do not count the CR character, if any before the
- * NL, in the returned length; this mirrors the behavior of Emacs on those
+ * On DOS or Windows, if `leave_cr` is false, we do not count the
+ * CR character, if any before the NL, in the returned length;
+ * this mirrors the behavior of Emacs on those
* platforms (for text files, it translates CR-NL to NL as it reads in the
* file).
*
@@ -7221,7 +7264,7 @@ get_lispy_tag (register char *bp)
* appended to `filebuf'.
*/
static ptrdiff_t
-readline_internal (linebuffer *lbp, FILE *stream, char const *filename)
+readline_internal (linebuffer *lbp, FILE *stream, char const *filename, const bool leave_cr)
{
char *buffer = lbp->buffer;
char *p = lbp->buffer;
@@ -7251,19 +7294,19 @@ readline_internal (linebuffer *lbp, FILE *stream, char
break;
}
if (c == '\n')
- {
- if (p > buffer && p[-1] == '\r')
- {
- p -= 1;
- chars_deleted = 2;
- }
- else
- {
- chars_deleted = 1;
- }
- *p = '\0';
- break;
- }
+ {
+ if (!leave_cr && p > buffer && p[-1] == '\r')
+ {
+ p -= 1;
+ chars_deleted = 2;
+ }
+ else
+ {
+ chars_deleted = 1;
+ }
+ *p = '\0';
+ break;
+ }
*p++ = c;
}
lbp->len = p - buffer;
@@ -7294,7 +7337,7 @@ static void
readline (linebuffer *lbp, FILE *stream)
{
linecharno = charno; /* update global char number of line start */
- ptrdiff_t result = readline_internal (lbp, stream, infilename);
+ ptrdiff_t result = readline_internal (lbp, stream, infilename, false);
lineno += 1; /* increment global line number */
charno += result; /* increment global char number */
@@ -7650,6 +7693,95 @@ etags_mktmp (void)
#endif
return templt;
+}
+
+/*
+ * Adds single quotes around a string, if found single quotes, escaped it.
+ * Return a newly-allocated string.
+ *
+ * For example:
+ * escape_shell_arg_string("test.txt") => 'test.txt'
+ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
+ */
+static char *
+escape_shell_arg_string (char *str)
+{
+ char *p = str;
+ int need_space = 2; /* ' at begin and end */
+
+ while (*p != '\0')
+ {
+ if (*p == '\'')
+ need_space += 4; /* ' to '\'', length is 4 */
+ else
+ need_space++;
+
+ p++;
+ }
+
+ char *new_str = xnew (need_space + 1, char);
+ new_str[0] = '\'';
+ new_str[need_space-1] = '\'';
+
+ int i = 1; /* skip first byte */
+ p = str;
+ while (*p != '\0')
+ {
+ new_str[i] = *p;
+ if (*p == '\'')
+ {
+ new_str[i+1] = '\\';
+ new_str[i+2] = '\'';
+ new_str[i+3] = '\'';
+ i += 3;
+ }
+
+ i++;
+ p++;
+ }
+
+ new_str[need_space] = '\0';
+ return new_str;
+}
+
+static void
+do_move_file(const char *src_file, const char *dst_file)
+{
+ if (rename (src_file, dst_file) == 0)
+ return;
+
+ FILE *src_f = fopen (src_file, "rb");
+ FILE *dst_f = fopen (dst_file, "wb");
+
+ if (src_f == NULL)
+ pfatal (src_file);
+
+ if (dst_f == NULL)
+ pfatal (dst_file);
+
+ int c;
+ while ((c = fgetc (src_f)) != EOF)
+ {
+ if (ferror (src_f))
+ pfatal (src_file);
+
+ if (ferror (dst_f))
+ pfatal (dst_file);
+
+ if (fputc (c, dst_f) == EOF)
+ pfatal ("cannot write");
+ }
+
+ if (fclose (src_f) == EOF)
+ pfatal (src_file);
+
+ if (fclose (dst_f) == EOF)
+ pfatal (dst_file);
+
+ if (unlink (src_file) == -1)
+ pfatal ("unlink error");
+
+ return;
}
/* Return a newly allocated string containing the file name of FILE
editors/emacs/patches/patch-lisp_htmlfontify_el
+17
View File
@@ -0,0 +1,17 @@
"Fix htmlfontify.el command injection vulnerability." (CVE-2022-48339)
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60295
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-28&id=807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c
Index: lisp/htmlfontify.el
--- lisp/htmlfontify.el.orig
+++ lisp/htmlfontify.el
@@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in wh
(defun hfy-text-p (srcdir file)
"Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
(rsp (shell-command-to-string cmd)))
(string-match "text" rsp)))
editors/emacs/patches/patch-lisp_progmodes_ruby-mode_el
+16
View File
@@ -0,0 +1,16 @@
"Fix ruby-mode.el local command injection vulnerability (bug#60268)" (CVE-2022-48338)
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60268
https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-28&id=22fb5ff5126dc8bb01edaa0252829d853afb284f
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
--- lisp/progmodes/ruby-mode.el.orig
+++ lisp/progmodes/ruby-mode.el
@@ -1819,7 +1819,7 @@ or `gem' statement around point."
(setq feature-name (read-string "Feature name: " init))))
(let ((out
(substring
- (shell-command-to-string (concat "gem which " feature-name))
+ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
0 -1)))
(if (string-match-p "\\`ERROR" out)
(user-error "%s" out)