oss-sec mailing list archives
Re: CVE-2015-1416: vulnerability in patch(1)
From: Mark Felder <feld () feld me>
Date: Sat, 01 Aug 2015 19:09:07 -0500
On Sat, Aug 1, 2015, at 17:49, Florian Weimer wrote:
* Mark Felder:Which upstream? There are a few different flavors of patch(1) out there. The one in FreeBSD is a variant of Larry Wall's patch, not GNU patch.GNU patch is a variant of Larry Wall's patch, too. I guess this makes FreeBSD (and OpenBSD?) patch and GNU patch siblings.
Aha, I see that mentioned under AUTHORS in GNU Patch's man page. This piqued my interest, so I went down the following rabbit hole: This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD fork: https://svnweb.freebsd.org/base?view=revision&revision=285974 A quick glance shows the first parts of the vulnerability fix changes code introduced by this commit, the actual initial import of this BSD licensed patch to FreeBSD from DragonflyBSD. https://svnweb.freebsd.org/base?view=revision&revision=246074 Bitrig originally patched it here: https://github.com/bitrig/bitrig/commit/84c2a000b0029c3a2fcb5040855434273530e478 DragonflyBSD removed this functionality entirely here: https://github.com/DragonFlyBSD/DragonFlyBSD/commit/05172c8dd418493b9dd5ea9bf9cc684f3cf2e705 and then Bitrig did the same: https://github.com/bitrig/bitrig/commit/d457d994c202c1bd6cc1483e6e3e48f27205e587 I checked and NetBSD patched it here: http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/patch/inp.c?rev=1.24&content-type=text/x-cvsweb-markup&only_with_tag=MAIN OpenBSD's patch was here: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/inp.c?rev=1.37.6.1&content-type=text/x-cvsweb-markup As for GNU patch, looking in src/inp.c shows it has diverged a lot, but I couldn't say if that makes it invulnerable.
Current thread:
- CVE-2015-1416: vulnerability in patch(1) Adam Maris (Jul 30)
- Re: CVE-2015-1416: vulnerability in patch(1) Mark Felder (Aug 01)
- Re: CVE-2015-1416: vulnerability in patch(1) Florian Weimer (Aug 01)
- Re: CVE-2015-1416: vulnerability in patch(1) Mark Felder (Aug 01)
- Re: CVE-2015-1416: vulnerability in patch(1) cve-assign (Aug 02)
- Re: CVE-2015-1416: vulnerability in patch(1) Florian Weimer (Aug 01)
- Re: CVE-2015-1416: vulnerability in patch(1) Mark Felder (Aug 01)