Hi, I confirmed the security vulnerability and fixed it. The result of executing the modified command is as follows:
$ rm -f /tmp/w $ htags --suggest2 -d '&& id' gtags: directory '/tmp/global/htags/&& id' not found. htags: cannot execute gtags(1) command. $ cat /tmp/w cat: /tmp/w: No such file or directory $ htags --suggest2 -d '$(pwd>/tmp/w)' gtags: directory '/tmp/global/htags/$(pwd>' not found. htags: cannot execute gtags(1) command. $ cat /tmp/w cat: /tmp/w: No such file or directory I have attached the patch to this mail. Thank you for the report. Regards, Shigio On Wed, May 8, 2024 at 6:10 AM u32i <[email protected]> wrote: > > Hi, > > I found a security vulnerability in htags. htags takes the input provided in > the dbpath option (-d) and appends it to a command string that will later be > executed by system() function, without any escaping, leading to a command > injection vulnerability. > > Vulnerable code: src/htags/htags.c:L1336 > > Reproduce: > > Run htags by injecting a command in the dbpath argument (-d) : > > $ htags --suggest2 -d '&& id' > // SNIP > uid=1000(user1) gid=1000(user1) > groups=1000(user1),24(cdrom),25(floppy),27(sudo) > htags: GPATH, GTAGS and/or GRTAGS not found. Please reexecute htags > with the -g option. > > $ htags --suggest2 -d '$(pwd>/tmp/w)' > $ cat /tmp/w > /home/user1/tests > > Environment: > > Tested in Debian 12, htags version 6.6.12 > > Mitigation: > > Options added to or used in system commands should be validated and escaped > before used. > > Best Regards > -- Shigio YAMAGUCHI <[email protected]> PGP fingerprint: 26F6 31B4 3D62 4A92 7E6F 1C33 969C 3BE3 89DD A6EB
htags.diff
Description: Binary data
