CVE-2022-45939 Overview
CVE-2022-45939 is a command injection vulnerability in GNU Emacs through version 28.2. The vulnerability allows attackers to execute arbitrary commands via shell metacharacters embedded in the name of a source-code file. This occurs because lib-src/etags.c uses the system() C library function in its implementation of the ctags program. A typical exploitation scenario involves a victim executing the commonly suggested ctags * command in a directory containing maliciously crafted filenames that depend on untrusted input.
Critical Impact
Attackers can achieve arbitrary command execution on systems where users run ctags on directories containing malicious filenames, potentially leading to full system compromise.
Affected Products
- GNU Emacs through version 28.2
- Debian Linux 10.0 and 11.0
- Fedora 36 and 37
Discovery Timeline
- 2022-11-28 - CVE-2022-45939 published to NVD
- 2025-04-28 - Last updated in NVD database
Technical Details for CVE-2022-45939
Vulnerability Analysis
This vulnerability falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The root issue lies in how the ctags program, distributed as part of GNU Emacs, processes filenames when generating tag files for source code navigation.
When a user executes ctags * in a directory—a common workflow suggested in the official ctags documentation—the program passes each filename through the system() C library function without proper sanitization. This creates a dangerous condition where shell metacharacters embedded in filenames are interpreted by the shell, allowing an attacker to inject and execute arbitrary commands.
The attack requires local access or the ability to influence filenames in a directory where a user might run ctags, such as through downloaded archives, shared repositories, or user-uploaded content.
Root Cause
The vulnerability stems from the unsafe use of the system() C library function within lib-src/etags.c. The system() function spawns a shell to execute the provided command string, which means any shell metacharacters (such as ;, |, $(), backticks, etc.) in the filename will be interpreted as shell commands rather than literal characters.
Secure alternatives such as execve() or proper input sanitization were not employed, leaving the program vulnerable to command injection through specially crafted filenames.
Attack Vector
The attack requires local access to the system and user interaction—specifically, the victim must run the ctags command in a directory containing attacker-controlled filenames. An attacker could exploit this by:
- Creating a file with a malicious name containing shell metacharacters (e.g., file;id;.c or $(malicious_command).c)
- Placing the file in a directory where a developer is likely to run ctags *
- When the victim executes ctags, the shell metacharacters in the filename are interpreted, executing the injected commands with the user's privileges
This attack vector is particularly effective in shared development environments, repositories with contributed code, or any scenario where users process files from untrusted sources.
Detection Methods for CVE-2022-45939
Indicators of Compromise
- Unusual process spawns originating from the ctags process
- Files with shell metacharacters in their names (;, |, $(), backticks) in source code directories
- Unexpected command execution in directories where developers run ctags
- Log entries showing shell command execution from etags or ctags processes
Detection Strategies
- Monitor file creation events for filenames containing shell metacharacters in development directories
- Implement endpoint detection rules for suspicious process trees where ctags spawns unexpected child processes
- Audit systems running GNU Emacs versions 28.2 or earlier for the vulnerable ctags binary
- Use SentinelOne's behavioral AI to detect anomalous command execution patterns from development tools
Monitoring Recommendations
- Enable process monitoring to track parent-child relationships for ctags and etags processes
- Configure alerts for unusual shell command execution in development environments
- Review file integrity monitoring for suspicious filenames in shared repositories
- Implement runtime application self-protection (RASP) for development workstations
How to Mitigate CVE-2022-45939
Immediate Actions Required
- Upgrade GNU Emacs to a patched version that addresses this vulnerability
- Avoid running ctags * on directories containing files from untrusted sources
- Audit existing directories for files with suspicious shell metacharacter-laden filenames
- Consider using alternative ctags implementations that do not use system() for file processing
Patch Information
GNU has released a security patch to address this vulnerability. The fix is available in the GNU Emacs Commit Update. Distribution-specific patches are available through:
- Debian Security Advisory DSA-5314
- Debian LTS Announcement
- Fedora package updates for versions 36 and 37
Workarounds
- Use explicit file lists instead of wildcards when running ctags
- Manually inspect filenames before processing directories with ctags
- Run ctags in a sandboxed environment when processing untrusted code
- Consider using Exuberant Ctags or Universal Ctags as alternatives if patching is not immediately possible
# Safer ctags usage - explicitly list files instead of using wildcards
find . -name "*.c" -print0 | xargs -0 ctags
# Or validate filenames before processing
for f in *.c; do
if [[ "$f" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
ctags "$f"
fi
done
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
