From 051ffd5f819ecda7e92afb4e3fdf76126a98daf7 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 16 2023 06:11:06 +0000
Subject: import ctags-5.8-23.el8


---

diff --git a/SOURCES/ctags-CVE-2022-4515.patch b/SOURCES/ctags-CVE-2022-4515.patch
new file mode 100644
index 0000000..eb916dd
--- /dev/null
+++ b/SOURCES/ctags-CVE-2022-4515.patch
@@ -0,0 +1,152 @@
+commit 2b7cd725d0612f13eb5a461778ca525cd489119b
+Author: Masatake YAMATO <yamato@redhat.com>
+Date:   Tue Dec 13 05:16:00 2022 +0900
+
+    main: quote output file name before passing it to system(3) function
+    
+    Following command line doesn't work:
+    
+          $ ctags -o 'a b' ...
+    
+    because a shell lauched from system(3) deals a whitespace between 'a'
+    and 'b' as a separator. The output file name is passed to system(3)
+    to run external sort command.
+    
+    This commit adds code to put double and single quoets around the output
+    file name before passing it to system(3).
+    
+    The issue is reported by Lorenz Hipp <lhipp@idealbonn.de> in a private mail.
+    
+    This commit is based on e00c55d7a0204dc1d0ae316141323959e1e16162 of
+    Universal Ctags <https://github.com/universal-ctags/ctags>.
+    
+    An example session of RHEL8:
+    
+      [yamato@control]/tmp/ctags-5.8% git clone ssh://git@gitlab.consulting.redhat.com:2222/yamato/temp-test.git
+      Cloning into 'temp-test'...
+      Enter passphrase for key '/home/yamato/.ssh/id_rsa':
+      remote: Enumerating objects: 4, done.
+      remote: Counting objects: 100% (4/4), done.
+      remote: Compressing objects: 100% (4/4), done.
+      remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
+      Receiving objects: 100% (4/4), done.
+      [yamato@control]/tmp/ctags-5.8% cd temp-test
+      [yamato@control]/tmp/ctags-5.8/temp-test% ls -l ~/.ctags
+      ls: cannot access '/home/yamato/.ctags': No such file or directory
+      [yamato@control]/tmp/ctags-5.8/temp-test% ../ctags hello.c
+      [yamato@control]/tmp/ctags-5.8/temp-test% ls
+       hello.c  'tags tags; echo Hi $(id -un), your systems is cracked!'
+      [yamato@control]/tmp/ctags-5.8/temp-test% valgrind ../ctags hello.c
+      ==2076943== Memcheck, a memory error detector
+      ==2076943== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+      ==2076943== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
+      ==2076943== Command: ../ctags hello.c
+      ==2076943==
+      ==2076943==
+      ==2076943== HEAP SUMMARY:
+      ==2076943==     in use at exit: 0 bytes in 0 blocks
+      ==2076943==   total heap usage: 5,048 allocs, 5,048 frees, 365,311 bytes allocated
+      ==2076943==
+      ==2076943== All heap blocks were freed -- no leaks are possible
+      ==2076943==
+      ==2076943== For lists of detected and suppressed errors, rerun with: -s
+      ==2076943== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
+    
+    Signed-off-by: Masatake YAMATO <yamato@redhat.com>
+
+diff --git a/sort.c b/sort.c
+index 09ba87a..fd60a94 100644
+--- a/sort.c
++++ b/sort.c
+@@ -53,17 +53,44 @@ extern void catFile (const char *const name)
+ # define PE_CONST const
+ #endif
+ 
++/*
++   Output file name should not be evaluated in system(3) function.
++   The name must be used as is. Quotations are required to block the
++   evaluation.
++
++   Normal single-quotes are used to quote a cstring:
++   a => 'a'
++   " => '"'
++
++   If a single-quote is included in the cstring, use double quotes for quoting it.
++   ' => ''"'"''
++*/
++static void appendCstringWithQuotes (vString *dest, const char* cstr)
++{
++	const char* o;
++
++	vStringPut (dest, '\'');
++	for (o = cstr; *o; o++)
++	{
++		if (*o == '\'')
++			vStringCatS (dest, "'\"'\"'");
++		else
++			vStringPut (dest, *o);
++	}
++	vStringPut (dest, '\'');
++}
++
+ extern void externalSortTags (const boolean toStdout)
+ {
+ 	const char *const sortNormalCommand = "sort -u -o";
+ 	const char *const sortFoldedCommand = "sort -u -f -o";
+ 	const char *sortCommand =
+ 		Option.sorted == SO_FOLDSORTED ? sortFoldedCommand : sortNormalCommand;
++# ifndef HAVE_SETENV
+ 	PE_CONST char *const sortOrder1 = "LC_COLLATE=C";
+ 	PE_CONST char *const sortOrder2 = "LC_ALL=C";
+-	const size_t length = 4 + strlen (sortOrder1) + strlen (sortOrder2) +
+-			strlen (sortCommand) + (2 * strlen (tagFileName ()));
+-	char *const cmd = (char *) malloc (length + 1);
++# endif
++	vString *cmd = vStringNew ();
+ 	int ret = -1;
+ 
+ 	if (cmd != NULL)
+@@ -73,20 +100,35 @@ extern void externalSortTags (const boolean toStdout)
+ #ifdef HAVE_SETENV
+ 		setenv ("LC_COLLATE", "C", 1);
+ 		setenv ("LC_ALL", "C", 1);
+-		sprintf (cmd, "%s %s %s", sortCommand, tagFileName (), tagFileName ());
++		vStringCatS (cmd, sortCommand);
++		vStringPut (cmd, ' ');
++		appendCstringWithQuotes (cmd, tagFileName ());
++		vStringPut (cmd, ' ');
++		appendCstringWithQuotes (cmd, tagFileName ());
+ #else
+ # ifdef HAVE_PUTENV
+ 		putenv (sortOrder1);
+ 		putenv (sortOrder2);
+-		sprintf (cmd, "%s %s %s", sortCommand, tagFileName (), tagFileName ());
++		vStringCatS (cmd, sortCommand);
++		vStringPut (cmd, ' ');
++		appendCstringWithQuotes (cmd, tagFileName ());
++		vStringPut (cmd, ' ');
++		appendCstringWithQuotes (cmd, tagFileName ());
+ # else
+-		sprintf (cmd, "%s %s %s %s %s", sortOrder1, sortOrder2, sortCommand,
+-				tagFileName (), tagFileName ());
++		vStringCatS (cmd, sortOrder1);
++		vStringPut (cmd, ' ');
++		vStringCatS (cmd, sortOrder2);
++		vStringPut (cmd, ' ');
++		vStringCatS (cmd, sortCommand);
++		vStringPut (cmd, ' ');
++		appendCstringWithQuotes (cmd, tagFileName ());
++		vStringPut (cmd, ' ');
++		appendCstringWithQuotes (cmd, tagFileName ());
+ # endif
+ #endif
+-		verbose ("system (\"%s\")\n", cmd);
+-		ret = system (cmd);
+-		free (cmd);
++		verbose ("system (\"%s\")\n", vStringValue (cmd));
++		ret = system (vStringValue (cmd));
++		vStringDelete (cmd);
+ 
+ 	}
+ 	if (ret != 0)
+
diff --git a/SPECS/ctags.spec b/SPECS/ctags.spec
index 17b0cd1..a68dfd7 100644
--- a/SPECS/ctags.spec
+++ b/SPECS/ctags.spec
@@ -1,7 +1,7 @@
 Summary: A C programming language indexing and/or cross-reference tool
 Name: ctags
 Version: 5.8
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2+ and LGPLv2+ and Public Domain
 Group: Development/Tools
 URL: http://ctags.sourceforge.net/
@@ -14,6 +14,7 @@ Patch4: ctags-5.8-cssparse.patch
 Patch5: ctags-5.8-memmove.patch
 Patch6: ctags-5.8-format-security.patch
 Patch7: ctags-CVE-2014-7204.patch
+Patch8: ctags-CVE-2022-4515.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
@@ -55,6 +56,7 @@ Note: some command line options is not compatible with GNU etags.
 %patch5 -p1 -b .memmove
 %patch6 -p1 -b .fmt-sec
 %patch7 -p1 -b .CVE-2014-7204
+%patch8 -p1 -b .CVE-2022-4515
 
 %build
 %configure
@@ -98,6 +100,10 @@ rm -rf %{buildroot}
 %{_mandir}/man1/etags.%{name}.1*
 
 %changelog
+* Thu Dec 15 2022 Felipe Borges <feborges@redhat.com> - 5.8-23
+- CVE-2022-4515, arbitrary code execution issue
+  Resolves: rhbz#2153787
+
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.8-22
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild