From owner-svn-src-all@freebsd.org Wed Aug 5 22:04:55 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D78BA9B4771; Wed, 5 Aug 2015 22:04:55 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ADE8A166C; Wed, 5 Aug 2015 22:04:55 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t75M4tSA063295; Wed, 5 Aug 2015 22:04:55 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t75M4thU063292; Wed, 5 Aug 2015 22:04:55 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201508052204.t75M4thU063292@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 5 Aug 2015 22:04:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r286346 - head/usr.bin/patch X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Aug 2015 22:04:55 -0000 Author: delphij Date: Wed Aug 5 22:04:54 2015 New Revision: 286346 URL: https://svnweb.freebsd.org/changeset/base/286346 Log: Fix shell injection vulnerability in patch(1) via ed(1) by tightening sanity check of the input. [1] While I'm there also replace ed(1) with red(1) because we do not need the unrestricted functionality. [2] Obtained from: Bitrig [1], DragonFly [2] Security: CVE-2015-1418 [1] Modified: head/usr.bin/patch/pathnames.h head/usr.bin/patch/pch.c Modified: head/usr.bin/patch/pathnames.h ============================================================================== --- head/usr.bin/patch/pathnames.h Wed Aug 5 21:58:32 2015 (r286345) +++ head/usr.bin/patch/pathnames.h Wed Aug 5 22:04:54 2015 (r286346) @@ -9,4 +9,4 @@ #include -#define _PATH_ED "/bin/ed" +#define _PATH_RED "/bin/red" Modified: head/usr.bin/patch/pch.c ============================================================================== --- head/usr.bin/patch/pch.c Wed Aug 5 21:58:32 2015 (r286345) +++ head/usr.bin/patch/pch.c Wed Aug 5 22:04:54 2015 (r286346) @@ -1,4 +1,3 @@ - /*- * Copyright 1986, Larry Wall * @@ -1410,13 +1409,14 @@ do_ed_script(void) char *t; off_t beginning_of_this_line; FILE *pipefp = NULL; + int continuation; if (!skip_rest_of_patch) { if (copy_file(filearg[0], TMPOUTNAME) < 0) { unlink(TMPOUTNAME); fatal("can't create temp file %s", TMPOUTNAME); } - snprintf(buf, buf_size, "%s%s%s", _PATH_ED, + snprintf(buf, buf_size, "%s%s%s", _PATH_RED, verbose ? " " : " -s ", TMPOUTNAME); pipefp = popen(buf, "w"); } @@ -1434,7 +1434,19 @@ do_ed_script(void) (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) { if (pipefp != NULL) fputs(buf, pipefp); - if (*t != 'd') { + if (*t == 's') { + for (;;) { + continuation = 0; + t = strchr(buf, '\0') - 1; + while (--t >= buf && *t == '\\') + continuation = !continuation; + if (!continuation || + pgets(true) == 0) + break; + if (pipefp != NULL) + fputs(buf, pipefp); + } + } else if (*t != 'd') { while (pgets(true)) { p_input_line++; if (pipefp != NULL)