GNU bug report logs - #60268
[PATCH] Fix ruby-mode.el local command injection vulnerability

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 60268 in the body.
You can then email your comments to 60268 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: lux <lx <at> shellcodes.org>
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
Date: Fri, 23 Dec 2022 12:56:30 +0800

[Message part 1 (text/plain, inline)]

In ruby-mode.el, the 'ruby-find-library-file' function have a local
command injection vulnerability:

	(defun ruby-find-library-file (&optional feature-name)
	  (interactive)
	  ...
	  (shell-command-to-string (concat "gem which "
	(shell-quote-argument feature-name))) ...)

The 'ruby-find-library-file' is a interactive function, and bound to the
shortcut key C-c C-f. Inside the function, the external command 'gem' is
called through 'shell-command-to-string', but the 'feature-name'
parameters are not escape.

So, if the Ruby source file contains the following:

	require 'irb;id'

and typing C-c C-f, there is a risk of executing unexpected orders, for
example:

	(ruby-find-library-file "irb;uname")
	#<buffer irb.rb
	Linux>

Although the probability of being exploited is low, but I think it's
still necessary to avoid this kind of security problem.

The attachment is the patch file, thanks.

[0001-Fix-etags-local-command-injection-vulnerability.patch (text/x-patch, attachment)]

[0001-Fix-ruby-mode.el-local-command-injection-vulnerabili.patch (text/x-patch, attachment)]

Message #8 received at 60268 <at> debbugs.gnu.org (full text, mbox):

From: "lux" <lx <at> shellcodes.org>
To: "60268" <60268 <at> debbugs.gnu.org>
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
Date: Fri, 23 Dec 2022 12:59:42 +0800

[Message part 1 (text/plain, inline)]

Sorry, 0001-Fix-etags-local-command-injection-vulnerability.patch is a file I uploaded by mistake, please ignore

[Message part 2 (text/html, inline)]

Message #13 received at 60268-done <at> debbugs.gnu.org (full text, mbox):

From: Dmitry Gutov <dgutov <at> yandex.ru>
To: lux <lx <at> shellcodes.org>, 60268-done <at> debbugs.gnu.org
Subject: Re: bug#60268: [PATCH] Fix ruby-mode.el local command injection
 vulnerability
Date: Sat, 24 Dec 2022 01:43:56 +0200

Version: 29.1

On 23/12/2022 06:56, lux wrote:
> In ruby-mode.el, the 'ruby-find-library-file' function have a local
> command injection vulnerability:
> 
> 	(defun ruby-find-library-file (&optional feature-name)
> 	  (interactive)
> 	  ...
> 	  (shell-command-to-string (concat "gem which "
> 	(shell-quote-argument feature-name))) ...)
> 
> The 'ruby-find-library-file' is a interactive function, and bound to the
> shortcut key C-c C-f. Inside the function, the external command 'gem' is
> called through 'shell-command-to-string', but the 'feature-name'
> parameters are not escape.
> 
> So, if the Ruby source file contains the following:
> 
> 	require 'irb;id'
> 
> and typing C-c C-f, there is a risk of executing unexpected orders, for
> example:
> 
> 	(ruby-find-library-file "irb;uname")
> 	#<buffer irb.rb
> 	Linux>
> 
> Although the probability of being exploited is low, but I think it's
> still necessary to avoid this kind of security problem.
> 
> The attachment is the patch file, thanks.

Thanks! Installed.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.