Re: Security vulnerability in htags

[Shigio YAMAGUCHI]

Hi,
I confirmed the security vulnerability and fixed it.
The result of executing the modified command is as follows:

$ rm -f /tmp/w
$ htags --suggest2 -d '&& id'
gtags: directory '/tmp/global/htags/&& id' not found.
htags: cannot execute gtags(1) command.
$ cat /tmp/w
cat: /tmp/w: No such file or directory
$ htags --suggest2 -d '$(pwd>/tmp/w)'
gtags: directory '/tmp/global/htags/$(pwd>' not found.
htags: cannot execute gtags(1) command.
$ cat /tmp/w
cat: /tmp/w: No such file or directory

I have attached the patch to this mail.
Thank you for the report.

Regards,
Shigio

On Wed, May 8, 2024 at 6:10 AM u32i <u32i@proton.me> wrote:
>
> Hi,
>
> I found a security vulnerability in htags. htags takes the input provided in 
> the dbpath option (-d) and appends it to a command string that will later be 
> executed by system() function, without any escaping, leading to a command 
> injection vulnerability.
>
> Vulnerable code: src/htags/htags.c:L1336
>
> Reproduce:
>
> Run htags by injecting a command in the dbpath argument (-d) :
>
>      $ htags --suggest2 -d '&& id'
>      // SNIP
>       uid=1000(user1) gid=1000(user1) 
> groups=1000(user1),24(cdrom),25(floppy),27(sudo)
>       htags: GPATH, GTAGS and/or GRTAGS not found. Please reexecute htags 
> with the -g option.
>
>            $ htags --suggest2 -d '$(pwd>/tmp/w)'
>      $ cat /tmp/w
>      /home/user1/tests
>
> Environment:
>
> Tested in Debian 12, htags version 6.6.12
>
> Mitigation:
>
> Options added to or used in system commands should be validated and escaped 
> before used.
>
> Best Regards
>


-- 
Shigio YAMAGUCHI <shigio@gnu.org>
PGP fingerprint:
26F6 31B4 3D62 4A92 7E6F  1C33 969C 3BE3 89DD A6EB

htags.diff
Description: Binary data