bug#60268: closed ([PATCH] Fix ruby-mode.el local command injection vulnerability)

[GNU bug Tracking System]

Your message dated Sat, 24 Dec 2022 01:43:56 +0200
with message-id <62cd11da-7400-ba4a-23a8-cc7afc120aae@yandex.ru>
and subject line Re: bug#60268: [PATCH] Fix ruby-mode.el local command 
injection vulnerability
has caused the debbugs.gnu.org bug report #60268,
regarding [PATCH] Fix ruby-mode.el local command injection vulnerability
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
60268: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60268
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability Date: Fri, 23 Dec 2022 12:56:30 +0800

In ruby-mode.el, the 'ruby-find-library-file' function have a local
command injection vulnerability:

        (defun ruby-find-library-file (&optional feature-name)
          (interactive)
          ...
          (shell-command-to-string (concat "gem which "
        (shell-quote-argument feature-name))) ...)

The 'ruby-find-library-file' is a interactive function, and bound to the
shortcut key C-c C-f. Inside the function, the external command 'gem' is
called through 'shell-command-to-string', but the 'feature-name'
parameters are not escape.

So, if the Ruby source file contains the following:

        require 'irb;id'

and typing C-c C-f, there is a risk of executing unexpected orders, for
example:

        (ruby-find-library-file "irb;uname")
        #<buffer irb.rb
        Linux>

Although the probability of being exploited is low, but I think it's
still necessary to avoid this kind of security problem.

The attachment is the patch file, thanks.

0001-Fix-etags-local-command-injection-vulnerability.patch
Description: Text Data

0001-Fix-ruby-mode.el-local-command-injection-vulnerabili.patch
Description: Text Data

--- End Message ---

> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#60268: [PATCH] Fix ruby-mode.el local command injection vulnerability
>
>
>
>
> Date: 
>
> Sat, 24 Dec 2022 01:43:56 +0200
>
>
>
>
> User-agent: 
>
> Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
>
>
>
>
> Version: 29.1
>
> On 23/12/2022 06:56, lux wrote:
> > In ruby-mode.el, the 'ruby-find-library-file' function have a local
> > command injection vulnerability:
> >
> >         (defun ruby-find-library-file (&optional feature-name)
> >           (interactive)
> >           ...
> >           (shell-command-to-string (concat "gem which "
> >         (shell-quote-argument feature-name))) ...)
> >
> > The 'ruby-find-library-file' is a interactive function, and bound to the
> > shortcut key C-c C-f. Inside the function, the external command 'gem' is
> > called through 'shell-command-to-string', but the 'feature-name'
> > parameters are not escape.
> >
> > So, if the Ruby source file contains the following:
> >
> >         require 'irb;id'
> >
> > and typing C-c C-f, there is a risk of executing unexpected orders, for
> > example:
> >
> >         (ruby-find-library-file "irb;uname")
> >         #<buffer irb.rb
> >         Linux>
> >
> > Although the probability of being exploited is low, but I think it's
> > still necessary to avoid this kind of security problem.
> >
> > The attachment is the patch file, thanks.
>
> Thanks! Installed.
>
>
> --- End Message ---