Re: CVE-2015-1416: vulnerability in patch(1)

[Mark Felder <feld () feld me>]

On Sat, Aug 1, 2015, at 17:49, Florian Weimer wrote:
> * Mark Felder:
>
> > Which upstream? There are a few different flavors of patch(1) out there.
> > The one in FreeBSD is a variant of Larry Wall's patch, not GNU patch.
>
> GNU patch is a variant of Larry Wall's patch, too.  I guess this makes
> FreeBSD (and OpenBSD?) patch and GNU patch siblings.

Aha, I see that mentioned under AUTHORS in GNU Patch's man page. This
piqued my interest, so I went down the following rabbit hole:

This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD
fork:

https://svnweb.freebsd.org/base?view=revision&revision=285974

A quick glance shows the first parts of the vulnerability fix changes
code introduced by this commit, the actual initial import of this BSD
licensed patch to FreeBSD from DragonflyBSD. 

https://svnweb.freebsd.org/base?view=revision&revision=246074

Bitrig originally patched it here:

https://github.com/bitrig/bitrig/commit/84c2a000b0029c3a2fcb5040855434273530e478

DragonflyBSD removed this functionality entirely here:

https://github.com/DragonFlyBSD/DragonFlyBSD/commit/05172c8dd418493b9dd5ea9bf9cc684f3cf2e705

and then Bitrig did the same:

https://github.com/bitrig/bitrig/commit/d457d994c202c1bd6cc1483e6e3e48f27205e587

I checked and NetBSD patched it here:

http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/patch/inp.c?rev=1.24&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

OpenBSD's patch was here:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/inp.c?rev=1.37.6.1&content-type=text/x-cvsweb-markup

As for GNU patch, looking in src/inp.c shows it has diverged a lot, but
I couldn't say if that makes it invulnerable.