Date: Fri, 7 May 2004 18:18:22 +0400 From: Roman Bogorodskiy <bogorodskiy@inbox.ru> To: "Crist J. Clark" <cjc@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: ctags(1) command execution vulnerability Message-ID: <20040507141821.GA777@lame.novel.ru> In-Reply-To: <20040505003907.GA80906@blossom.cjclark.org> References: <20040504054909.GA3119@lame.novel.ru> <20040505003907.GA80906@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Crist wrote: > As has been pointed out, the problem here is user supplied data to a syst= em(3) > call that we really cannot sanitize without filtering a lot of valid file= names. > The Right Thing is to get rid of system(3). >=20 > This seems to work. Fixing the sort is trivial. Adding the regex checks t= o the > program adds a little complexity, but not a lot. Anyone who actually uses= =20 > ctags(1) want to try them out some more to see if they hold up? Using fork() + execlp() instead of system() is a good idea. Your solution works for me.=20 Will this fix be commited?=20 -Roman Bogorodskiy --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iQEVAwUBQJuarSpMDQ8aPhy0AQIExAf/ZERpW7JIgpim7codjVeO14eVfqbD2zvW B79SL13M4F+zixK9Ber++XdMZJu7Tdr3sjziy3TqbQ1ipnzII+G0vzOcaivvdlfR l/27GVl3g+n99o8dT4IRueeWO0ekclOUVy0Wxe+US+8+NCqzPNpJYZH8faC1Me5C H34ghHDx2HMgbrbnWRUgmsDocc/FK7sxCytLKxXgCLVLHawk3sF6Dd485/t/DCfK k+DENYHOdQjMDzNF5NarRvOT9rblfdRlVsy8kqIC0NL61ZXvMPegoFxpM9JF5rj7 bkrZeEu1weTGQVuEReigrfrvu2qxUbUc8R4bbn/ZXS/tWh3fcx6QgQ== =a5R7 -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040507141821.GA777>