From owner-freebsd-security@FreeBSD.ORG  Fri May  7 07:19:13 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6D34A16A4E3; Fri,  7 May 2004 07:19:13 -0700 (PDT)
Received: from mx2.mail.ru (mx2.mail.ru [194.67.23.122])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 137F343D46; Fri,  7 May 2004 07:19:13 -0700 (PDT)
	(envelope-from bogorodskiy@inbox.ru)
Received: from [194.186.150.154] (port=49786 helo=localhost)
	by mx2.mail.ru with esmtp 
	id 1BM698-000NmS-00; Fri, 07 May 2004 18:16:15 +0400
Date: Fri, 7 May 2004 18:18:22 +0400
From: Roman Bogorodskiy <bogorodskiy@inbox.ru>
To: "Crist J. Clark" <cjc@freebsd.org>
Message-ID: <20040507141821.GA777@lame.novel.ru>
Mail-Followup-To: "Crist J. Clark" <cjc@freebsd.org>,
	freebsd-security@freebsd.org
References: <20040504054909.GA3119@lame.novel.ru>
	<20040505003907.GA80906@blossom.cjclark.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx"
Content-Disposition: inline
In-Reply-To: <20040505003907.GA80906@blossom.cjclark.org>
"From: Roman Bogordskiy <bogorodskiy@inbox.ru>"
User-Agent: Mutt/1.5.6i
X-Spam: Not detected
cc: freebsd-security@freebsd.org
Subject: Re: ctags(1) command execution vulnerability
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2004 14:19:13 -0000


--dDRMvlgZJXvWKvBx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

 Crist wrote:

> As has been pointed out, the problem here is user supplied data to a syst=
em(3)
> call that we really cannot sanitize without filtering a lot of valid file=
 names.
> The Right Thing is to get rid of system(3).
>=20
> This seems to work. Fixing the sort is trivial. Adding the regex checks t=
o the
> program adds a little complexity, but not a lot. Anyone who actually uses=
=20
> ctags(1) want to try them out some more to see if they hold up?

Using fork() + execlp() instead of system() is a good idea. Your
solution works for me.=20

Will this fix be commited?=20

-Roman Bogorodskiy


--dDRMvlgZJXvWKvBx
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iQEVAwUBQJuarSpMDQ8aPhy0AQIExAf/ZERpW7JIgpim7codjVeO14eVfqbD2zvW
B79SL13M4F+zixK9Ber++XdMZJu7Tdr3sjziy3TqbQ1ipnzII+G0vzOcaivvdlfR
l/27GVl3g+n99o8dT4IRueeWO0ekclOUVy0Wxe+US+8+NCqzPNpJYZH8faC1Me5C
H34ghHDx2HMgbrbnWRUgmsDocc/FK7sxCytLKxXgCLVLHawk3sF6Dd485/t/DCfK
k+DENYHOdQjMDzNF5NarRvOT9rblfdRlVsy8kqIC0NL61ZXvMPegoFxpM9JF5rj7
bkrZeEu1weTGQVuEReigrfrvu2qxUbUc8R4bbn/ZXS/tWh3fcx6QgQ==
=a5R7
-----END PGP SIGNATURE-----

--dDRMvlgZJXvWKvBx--