summaryrefslogtreecommitdiff
path: root/system
diff options
context:
space:
mode:
authorKiyoshi Aman <kiyoshi.aman+apkfission@gmail.com>2018-06-17 00:29:51 -0500
committerKiyoshi Aman <kiyoshi.aman+apkfission@gmail.com>2018-06-17 00:29:51 -0500
commit8bfd4ec4f904902286d845b4a1cf9056fcdc9149 (patch)
treed06d86b3ff2f9d850c46297e29b4d5ff8f51da00 /system
parent99c331a08cba00feb07381100dce2e6ef9a6c0b3 (diff)
downloadpackages-8bfd4ec4f904902286d845b4a1cf9056fcdc9149.tar.gz
packages-8bfd4ec4f904902286d845b4a1cf9056fcdc9149.tar.bz2
packages-8bfd4ec4f904902286d845b4a1cf9056fcdc9149.tar.xz
packages-8bfd4ec4f904902286d845b4a1cf9056fcdc9149.zip
system/patch: [PD] fix maintainer, fix CVE-2018-100156
Diffstat (limited to 'system')
-rw-r--r--system/patch/APKBUILD13
-rw-r--r--system/patch/CVE-2018-1000156.patch211
-rw-r--r--system/patch/allow-missing.patch33
3 files changed, 253 insertions, 4 deletions
diff --git a/system/patch/APKBUILD b/system/patch/APKBUILD
index 4c69c9273..2cc08dd73 100644
--- a/system/patch/APKBUILD
+++ b/system/patch/APKBUILD
@@ -1,8 +1,7 @@
-# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
-# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+# Maintainer: Kiyoshi Aman <kiyoshi.aman+adelie@gmail.com>
pkgname=patch
pkgver=2.7.6
-pkgrel=2
+pkgrel=3
pkgdesc="Utility to apply diffs to files"
url="https://www.gnu.org/software/patch/patch.html"
arch="all"
@@ -14,12 +13,16 @@ install=""
subpackages="$pkgname-doc"
source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
CVE-2018-6951.patch
+ allow-missing.patch
+ CVE-2018-1000156.patch
"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
# 2.7.6-r2:
# - CVE-2018-6951
+# 2.7.6-r3:
+# - CVE-2018-1000156.patc
build() {
cd "$builddir"
@@ -49,4 +52,6 @@ package() {
}
sha512sums="fcca87bdb67a88685a8a25597f9e015f5e60197b9a269fa350ae35a7991ed8da553939b4bbc7f7d3cfd863c67142af403b04165633acbce4339056a905e87fbd patch-2.7.6.tar.xz
-db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch"
+db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch
+317c922c3adcf347024a9ffd2374a1827b19cc1f275a90e195e070cbcf16fb47788b14ffd18365ae5e1f867ed650e6f9aed6acf287bfc427107f3ed8bcd2b3af allow-missing.patch
+93414b33413b493eaa15027dfbe39c00eb1c556acf9f30af4c0ca113303867c5e7ad441c2596a7f9d060b8b67735a2a1c8be5db3c779ea47302f616ef8530d5d CVE-2018-1000156.patch"
diff --git a/system/patch/CVE-2018-1000156.patch b/system/patch/CVE-2018-1000156.patch
new file mode 100644
index 000000000..36f33dea2
--- /dev/null
+++ b/system/patch/CVE-2018-1000156.patch
@@ -0,0 +1,211 @@
+From 123eaff0d5d1aebe128295959435b9ca5909c26d Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 12:14:49 +0200
+Subject: Fix arbitrary command execution in ed-style patches
+ (CVE-2018-1000156)
+
+* src/pch.c (do_ed_script): Write ed script to a temporary file instead
+of piping it to ed: this will cause ed to abort on invalid commands
+instead of rejecting them and carrying on.
+* tests/ed-style: New test case.
+* tests/Makefile.am (TESTS): Add test case.
+---
+ src/pch.c | 91 ++++++++++++++++++++++++++++++++++++++++---------------
+ tests/Makefile.am | 1 +
+ tests/ed-style | 41 +++++++++++++++++++++++++
+ 3 files changed, 108 insertions(+), 25 deletions(-)
+ create mode 100644 tests/ed-style
+
+diff --git a/src/pch.c b/src/pch.c
+index 0c5cc26..4fd5a05 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -33,6 +33,7 @@
+ # include <io.h>
+ #endif
+ #include <safe.h>
++#include <sys/wait.h>
+
+ #define INITHUNKMAX 125 /* initial dynamic allocation size */
+
+@@ -2389,24 +2390,28 @@ do_ed_script (char const *inname, char const *outname,
+ static char const editor_program[] = EDITOR_PROGRAM;
+
+ file_offset beginning_of_this_line;
+- FILE *pipefp = 0;
+ size_t chars_read;
++ FILE *tmpfp = 0;
++ char const *tmpname;
++ int tmpfd;
++ pid_t pid;
++
++ if (! dry_run && ! skip_rest_of_patch)
++ {
++ /* Write ed script to a temporary file. This causes ed to abort on
++ invalid commands such as when line numbers or ranges exceed the
++ number of available lines. When ed reads from a pipe, it rejects
++ invalid commands and treats the next line as a new command, which
++ can lead to arbitrary command execution. */
++
++ tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++ if (tmpfd == -1)
++ pfatal ("Can't create temporary file %s", quotearg (tmpname));
++ tmpfp = fdopen (tmpfd, "w+b");
++ if (! tmpfp)
++ pfatal ("Can't open stream for file %s", quotearg (tmpname));
++ }
+
+- if (! dry_run && ! skip_rest_of_patch) {
+- int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+- if (inerrno != ENOENT)
+- {
+- *outname_needs_removal = true;
+- copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+- }
+- sprintf (buf, "%s %s%s", editor_program,
+- verbosity == VERBOSE ? "" : "- ",
+- outname);
+- fflush (stdout);
+- pipefp = popen(buf, binary_transput ? "wb" : "w");
+- if (!pipefp)
+- pfatal ("Can't open pipe to %s", quotearg (buf));
+- }
+ for (;;) {
+ char ed_command_letter;
+ beginning_of_this_line = file_tell (pfp);
+@@ -2417,14 +2422,14 @@ do_ed_script (char const *inname, char const *outname,
+ }
+ ed_command_letter = get_ed_command_letter (buf);
+ if (ed_command_letter) {
+- if (pipefp)
+- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++ if (tmpfp)
++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ write_fatal ();
+ if (ed_command_letter != 'd' && ed_command_letter != 's') {
+ p_pass_comments_through = true;
+ while ((chars_read = get_line ()) != 0) {
+- if (pipefp)
+- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++ if (tmpfp)
++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ write_fatal ();
+ if (chars_read == 2 && strEQ (buf, ".\n"))
+ break;
+@@ -2437,13 +2442,49 @@ do_ed_script (char const *inname, char const *outname,
+ break;
+ }
+ }
+- if (!pipefp)
++ if (!tmpfp)
+ return;
+- if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0
+- || fflush (pipefp) != 0)
++ if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
++ || fflush (tmpfp) != 0)
+ write_fatal ();
+- if (pclose (pipefp) != 0)
+- fatal ("%s FAILED", editor_program);
++
++ if (lseek (tmpfd, 0, SEEK_SET) == -1)
++ pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
++
++ if (! dry_run && ! skip_rest_of_patch) {
++ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
++ *outname_needs_removal = true;
++ if (inerrno != ENOENT)
++ {
++ *outname_needs_removal = true;
++ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++ }
++ sprintf (buf, "%s %s%s", editor_program,
++ verbosity == VERBOSE ? "" : "- ",
++ outname);
++ fflush (stdout);
++
++ pid = fork();
++ if (pid == -1)
++ pfatal ("Can't fork");
++ else if (pid == 0)
++ {
++ dup2 (tmpfd, 0);
++ execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++ _exit (2);
++ }
++ else
++ {
++ int wstatus;
++ if (waitpid (pid, &wstatus, 0) == -1
++ || ! WIFEXITED (wstatus)
++ || WEXITSTATUS (wstatus) != 0)
++ fatal ("%s FAILED", editor_program);
++ }
++ }
++
++ fclose (tmpfp);
++ safe_unlink (tmpname);
+
+ if (ofp)
+ {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 6b6df63..16f8693 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -32,6 +32,7 @@ TESTS = \
+ crlf-handling \
+ dash-o-append \
+ deep-directories \
++ ed-style \
+ empty-files \
+ false-match \
+ fifo \
+diff --git a/tests/ed-style b/tests/ed-style
+new file mode 100644
+index 0000000..d8c0689
+--- /dev/null
++++ b/tests/ed-style
+@@ -0,0 +1,41 @@
++# Copyright (C) 2018 Free Software Foundation, Inc.
++#
++# Copying and distribution of this file, with or without modification,
++# in any medium, are permitted without royalty provided the copyright
++# notice and this notice are preserved.
++
++. $srcdir/test-lib.sh
++
++require cat
++use_local_patch
++use_tmpdir
++
++# ==============================================================
++
++cat > ed1.diff <<EOF
++0a
++foo
++.
++EOF
++
++check 'patch -e foo -i ed1.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
++
++cat > ed2.diff <<EOF
++1337a
++r !echo bar
++,p
++EOF
++
++check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF
++?
++Status: 2
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
+--
+cgit v1.0-41-gc330
+
diff --git a/system/patch/allow-missing.patch b/system/patch/allow-missing.patch
new file mode 100644
index 000000000..98c9aa877
--- /dev/null
+++ b/system/patch/allow-missing.patch
@@ -0,0 +1,33 @@
+From b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 11:34:51 +0200
+Subject: Allow input files to be missing for ed-style patches
+
+* src/pch.c (do_ed_script): Allow input files to be missing so that new
+files will be created as with non-ed-style patches.
+---
+ src/pch.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index bc6278c..0c5cc26 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2394,9 +2394,11 @@ do_ed_script (char const *inname, char const *outname,
+
+ if (! dry_run && ! skip_rest_of_patch) {
+ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+- assert (! inerrno);
+- *outname_needs_removal = true;
+- copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++ if (inerrno != ENOENT)
++ {
++ *outname_needs_removal = true;
++ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++ }
+ sprintf (buf, "%s %s%s", editor_program,
+ verbosity == VERBOSE ? "" : "- ",
+ outname);
+--
+cgit v1.0-41-gc330
+