ctags(1) command execution vulnerability

[Roman Bogorodskiy]

Hello,

	ctags(1) uses external application sort(1) for sorting the tags file.
It calls it via system(3) function. 

Look at the /usr/src/usr.bin/ctags/ctags.c file, there are such lines
here: 

if (uflag) {
	(void)asprintf(&cmd, "sort -o %s %s",
	    outfile, outfile);
	if (cmd == NULL)
		err(1, "out of space");
	system(cmd);
	free(cmd);
	cmd = NULL;
}

This code will be executed when "-u" arg was given. So, if we'll execute 
ctags in a such way:

ctags -u -f ';echo hi' *.c

we get the following:

Syntax error: ";" unexpected
sort: option requires an argument -- o
Try `sort --help' for more information.
hi
hi

We can put any command instead of 'echo hi' and it would be executed
(for two times). 

I understand that ctags(1) is not a suid application and this
vulnerability probably could not be exploited. Never the less, this is a
bad behavior for any kind of program. 

Solution:

--- usr.bin/ctags/ctags.c.orig	Tue May  4 09:23:30 2004
+++ usr.bin/ctags/ctags.c	Tue May  4 09:25:48 2004
@@ -166,7 +166,7 @@
 			if (uflag) {
 				for (step = 0; step < argc; step++) {
 					(void)asprintf(&cmd,
-					    "mv %s OTAGS; fgrep -v '\t%s\t' OTAGS >%s; rm OTAGS",
+					    "mv '%s' OTAGS; fgrep -v '\t%s\t' OTAGS >'%s'; rm OTAGS",
 					    outfile, argv[step], outfile);
 					if (cmd == NULL)
 						err(1, "out of space");
@@ -181,7 +181,7 @@
 			put_entries(head);
 			(void)fclose(outf);
 			if (uflag) {
-				(void)asprintf(&cmd, "sort -o %s %s",
+				(void)asprintf(&cmd, "sort -o '%s' '%s'",
 				    outfile, outfile);
 				if (cmd == NULL)
 					err(1, "out of space");


-Roman Bogorodskiy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 479 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040504/cb59d4af/attachment.bin