diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-08-08 06:27:48 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-08-08 06:29:51 +0000 |
commit | 095fae596fc49100874f93b298316eb4f6d24f0f (patch) | |
tree | 7ff4c7105cc63b93b7b352cbc51cd11316f6efcf | |
parent | c2c48f7368e24b9468874c9f0a654af0d78ec393 (diff) | |
download | alpine_aports-095fae596fc49100874f93b298316eb4f6d24f0f.tar.bz2 alpine_aports-095fae596fc49100874f93b298316eb4f6d24f0f.tar.xz alpine_aports-095fae596fc49100874f93b298316eb4f6d24f0f.zip |
main/patch: security fixes
CVE-2019-13638, CVE-2018-1000156
Fixes #10695
Update license, remove unsupported configure option
-rw-r--r-- | main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch | 33 | ||||
-rw-r--r-- | main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch | 211 | ||||
-rw-r--r-- | main/patch/APKBUILD | 28 | ||||
-rw-r--r-- | main/patch/CVE-2019-13638.patch | 38 |
4 files changed, 301 insertions, 9 deletions
diff --git a/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch b/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch new file mode 100644 index 0000000000..b26651ab05 --- /dev/null +++ b/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Gruenbacher <agruen@gnu.org> | ||
3 | Date: Fri, 6 Apr 2018 11:34:51 +0200 | ||
4 | Subject: [PATCH] Allow input files to be missing for ed-style patches | ||
5 | |||
6 | * src/pch.c (do_ed_script): Allow input files to be missing so that new | ||
7 | files will be created as with non-ed-style patches. | ||
8 | --- | ||
9 | src/pch.c | 8 +++++--- | ||
10 | 1 file changed, 5 insertions(+), 3 deletions(-) | ||
11 | |||
12 | diff --git a/src/pch.c b/src/pch.c | ||
13 | index bc6278c..0c5cc26 100644 | ||
14 | --- a/src/pch.c | ||
15 | +++ b/src/pch.c | ||
16 | @@ -2394,9 +2394,11 @@ do_ed_script (char const *inname, char const *outname, | ||
17 | |||
18 | if (! dry_run && ! skip_rest_of_patch) { | ||
19 | int exclusive = *outname_needs_removal ? 0 : O_EXCL; | ||
20 | - assert (! inerrno); | ||
21 | - *outname_needs_removal = true; | ||
22 | - copy_file (inname, outname, 0, exclusive, instat.st_mode, true); | ||
23 | + if (inerrno != ENOENT) | ||
24 | + { | ||
25 | + *outname_needs_removal = true; | ||
26 | + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); | ||
27 | + } | ||
28 | sprintf (buf, "%s %s%s", editor_program, | ||
29 | verbosity == VERBOSE ? "" : "- ", | ||
30 | outname); | ||
31 | -- | ||
32 | 2.22.0 | ||
33 | |||
diff --git a/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch b/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch new file mode 100644 index 0000000000..6b65e2dd48 --- /dev/null +++ b/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch | |||
@@ -0,0 +1,211 @@ | |||
1 | From 123eaff0d5d1aebe128295959435b9ca5909c26d Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Gruenbacher <agruen@gnu.org> | ||
3 | Date: Fri, 6 Apr 2018 12:14:49 +0200 | ||
4 | Subject: [PATCH] Fix arbitrary command execution in ed-style patches | ||
5 | (CVE-2018-1000156) | ||
6 | |||
7 | * src/pch.c (do_ed_script): Write ed script to a temporary file instead | ||
8 | of piping it to ed: this will cause ed to abort on invalid commands | ||
9 | instead of rejecting them and carrying on. | ||
10 | * tests/ed-style: New test case. | ||
11 | * tests/Makefile.am (TESTS): Add test case. | ||
12 | --- | ||
13 | src/pch.c | 91 ++++++++++++++++++++++++++++++++++------------- | ||
14 | tests/Makefile.am | 1 + | ||
15 | tests/ed-style | 41 +++++++++++++++++++++ | ||
16 | 3 files changed, 108 insertions(+), 25 deletions(-) | ||
17 | create mode 100644 tests/ed-style | ||
18 | |||
19 | diff --git a/src/pch.c b/src/pch.c | ||
20 | index 0c5cc26..4fd5a05 100644 | ||
21 | --- a/src/pch.c | ||
22 | +++ b/src/pch.c | ||
23 | @@ -33,6 +33,7 @@ | ||
24 | # include <io.h> | ||
25 | #endif | ||
26 | #include <safe.h> | ||
27 | +#include <sys/wait.h> | ||
28 | |||
29 | #define INITHUNKMAX 125 /* initial dynamic allocation size */ | ||
30 | |||
31 | @@ -2389,24 +2390,28 @@ do_ed_script (char const *inname, char const *outname, | ||
32 | static char const editor_program[] = EDITOR_PROGRAM; | ||
33 | |||
34 | file_offset beginning_of_this_line; | ||
35 | - FILE *pipefp = 0; | ||
36 | size_t chars_read; | ||
37 | + FILE *tmpfp = 0; | ||
38 | + char const *tmpname; | ||
39 | + int tmpfd; | ||
40 | + pid_t pid; | ||
41 | + | ||
42 | + if (! dry_run && ! skip_rest_of_patch) | ||
43 | + { | ||
44 | + /* Write ed script to a temporary file. This causes ed to abort on | ||
45 | + invalid commands such as when line numbers or ranges exceed the | ||
46 | + number of available lines. When ed reads from a pipe, it rejects | ||
47 | + invalid commands and treats the next line as a new command, which | ||
48 | + can lead to arbitrary command execution. */ | ||
49 | + | ||
50 | + tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); | ||
51 | + if (tmpfd == -1) | ||
52 | + pfatal ("Can't create temporary file %s", quotearg (tmpname)); | ||
53 | + tmpfp = fdopen (tmpfd, "w+b"); | ||
54 | + if (! tmpfp) | ||
55 | + pfatal ("Can't open stream for file %s", quotearg (tmpname)); | ||
56 | + } | ||
57 | |||
58 | - if (! dry_run && ! skip_rest_of_patch) { | ||
59 | - int exclusive = *outname_needs_removal ? 0 : O_EXCL; | ||
60 | - if (inerrno != ENOENT) | ||
61 | - { | ||
62 | - *outname_needs_removal = true; | ||
63 | - copy_file (inname, outname, 0, exclusive, instat.st_mode, true); | ||
64 | - } | ||
65 | - sprintf (buf, "%s %s%s", editor_program, | ||
66 | - verbosity == VERBOSE ? "" : "- ", | ||
67 | - outname); | ||
68 | - fflush (stdout); | ||
69 | - pipefp = popen(buf, binary_transput ? "wb" : "w"); | ||
70 | - if (!pipefp) | ||
71 | - pfatal ("Can't open pipe to %s", quotearg (buf)); | ||
72 | - } | ||
73 | for (;;) { | ||
74 | char ed_command_letter; | ||
75 | beginning_of_this_line = file_tell (pfp); | ||
76 | @@ -2417,14 +2422,14 @@ do_ed_script (char const *inname, char const *outname, | ||
77 | } | ||
78 | ed_command_letter = get_ed_command_letter (buf); | ||
79 | if (ed_command_letter) { | ||
80 | - if (pipefp) | ||
81 | - if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) | ||
82 | + if (tmpfp) | ||
83 | + if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) | ||
84 | write_fatal (); | ||
85 | if (ed_command_letter != 'd' && ed_command_letter != 's') { | ||
86 | p_pass_comments_through = true; | ||
87 | while ((chars_read = get_line ()) != 0) { | ||
88 | - if (pipefp) | ||
89 | - if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) | ||
90 | + if (tmpfp) | ||
91 | + if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) | ||
92 | write_fatal (); | ||
93 | if (chars_read == 2 && strEQ (buf, ".\n")) | ||
94 | break; | ||
95 | @@ -2437,13 +2442,49 @@ do_ed_script (char const *inname, char const *outname, | ||
96 | break; | ||
97 | } | ||
98 | } | ||
99 | - if (!pipefp) | ||
100 | + if (!tmpfp) | ||
101 | return; | ||
102 | - if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0 | ||
103 | - || fflush (pipefp) != 0) | ||
104 | + if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0 | ||
105 | + || fflush (tmpfp) != 0) | ||
106 | write_fatal (); | ||
107 | - if (pclose (pipefp) != 0) | ||
108 | - fatal ("%s FAILED", editor_program); | ||
109 | + | ||
110 | + if (lseek (tmpfd, 0, SEEK_SET) == -1) | ||
111 | + pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); | ||
112 | + | ||
113 | + if (! dry_run && ! skip_rest_of_patch) { | ||
114 | + int exclusive = *outname_needs_removal ? 0 : O_EXCL; | ||
115 | + *outname_needs_removal = true; | ||
116 | + if (inerrno != ENOENT) | ||
117 | + { | ||
118 | + *outname_needs_removal = true; | ||
119 | + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); | ||
120 | + } | ||
121 | + sprintf (buf, "%s %s%s", editor_program, | ||
122 | + verbosity == VERBOSE ? "" : "- ", | ||
123 | + outname); | ||
124 | + fflush (stdout); | ||
125 | + | ||
126 | + pid = fork(); | ||
127 | + if (pid == -1) | ||
128 | + pfatal ("Can't fork"); | ||
129 | + else if (pid == 0) | ||
130 | + { | ||
131 | + dup2 (tmpfd, 0); | ||
132 | + execl ("/bin/sh", "sh", "-c", buf, (char *) 0); | ||
133 | + _exit (2); | ||
134 | + } | ||
135 | + else | ||
136 | + { | ||
137 | + int wstatus; | ||
138 | + if (waitpid (pid, &wstatus, 0) == -1 | ||
139 | + || ! WIFEXITED (wstatus) | ||
140 | + || WEXITSTATUS (wstatus) != 0) | ||
141 | + fatal ("%s FAILED", editor_program); | ||
142 | + } | ||
143 | + } | ||
144 | + | ||
145 | + fclose (tmpfp); | ||
146 | + safe_unlink (tmpname); | ||
147 | |||
148 | if (ofp) | ||
149 | { | ||
150 | diff --git a/tests/Makefile.am b/tests/Makefile.am | ||
151 | index 6b6df63..16f8693 100644 | ||
152 | --- a/tests/Makefile.am | ||
153 | +++ b/tests/Makefile.am | ||
154 | @@ -32,6 +32,7 @@ TESTS = \ | ||
155 | crlf-handling \ | ||
156 | dash-o-append \ | ||
157 | deep-directories \ | ||
158 | + ed-style \ | ||
159 | empty-files \ | ||
160 | false-match \ | ||
161 | fifo \ | ||
162 | diff --git a/tests/ed-style b/tests/ed-style | ||
163 | new file mode 100644 | ||
164 | index 0000000..d8c0689 | ||
165 | --- /dev/null | ||
166 | +++ b/tests/ed-style | ||
167 | @@ -0,0 +1,41 @@ | ||
168 | +# Copyright (C) 2018 Free Software Foundation, Inc. | ||
169 | +# | ||
170 | +# Copying and distribution of this file, with or without modification, | ||
171 | +# in any medium, are permitted without royalty provided the copyright | ||
172 | +# notice and this notice are preserved. | ||
173 | + | ||
174 | +. $srcdir/test-lib.sh | ||
175 | + | ||
176 | +require cat | ||
177 | +use_local_patch | ||
178 | +use_tmpdir | ||
179 | + | ||
180 | +# ============================================================== | ||
181 | + | ||
182 | +cat > ed1.diff <<EOF | ||
183 | +0a | ||
184 | +foo | ||
185 | +. | ||
186 | +EOF | ||
187 | + | ||
188 | +check 'patch -e foo -i ed1.diff' <<EOF | ||
189 | +EOF | ||
190 | + | ||
191 | +check 'cat foo' <<EOF | ||
192 | +foo | ||
193 | +EOF | ||
194 | + | ||
195 | +cat > ed2.diff <<EOF | ||
196 | +1337a | ||
197 | +r !echo bar | ||
198 | +,p | ||
199 | +EOF | ||
200 | + | ||
201 | +check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF | ||
202 | +? | ||
203 | +Status: 2 | ||
204 | +EOF | ||
205 | + | ||
206 | +check 'cat foo' <<EOF | ||
207 | +foo | ||
208 | +EOF | ||
209 | -- | ||
210 | 2.22.0 | ||
211 | |||
diff --git a/main/patch/APKBUILD b/main/patch/APKBUILD index ef3c04144c..0e02115e46 100644 --- a/main/patch/APKBUILD +++ b/main/patch/APKBUILD | |||
@@ -2,26 +2,31 @@ | |||
2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
3 | pkgname=patch | 3 | pkgname=patch |
4 | pkgver=2.7.6 | 4 | pkgver=2.7.6 |
5 | pkgrel=5 | 5 | pkgrel=6 |
6 | pkgdesc="Utility to apply diffs to files" | 6 | pkgdesc="Utility to apply diffs to files" |
7 | url="https://www.gnu.org/software/patch/patch.html" | 7 | url="https://www.gnu.org/software/patch/patch.html" |
8 | arch="all" | 8 | arch="all" |
9 | license="GPL-3.0+" | 9 | license="GPL-3.0-or-later" |
10 | depends="" | 10 | depends="" |
11 | makedepends="" | 11 | makedepends="autoconf automake" |
12 | # testsuite needs coreutils due to bug in busybox `cat -ve` | 12 | # testsuite needs coreutils due to bug in busybox `cat -ve` |
13 | # http://lists.busybox.net/pipermail/busybox/2018-April/086401.html | 13 | # http://lists.busybox.net/pipermail/busybox/2018-April/086401.html |
14 | checkdepends="coreutils bash ed" | 14 | checkdepends="coreutils bash ed" |
15 | install="" | ||
16 | subpackages="$pkgname-doc" | 15 | subpackages="$pkgname-doc" |
17 | source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz | 16 | source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz |
18 | CVE-2018-6951.patch | 17 | CVE-2018-6951.patch |
19 | CVE-2018-6952.patch | 18 | CVE-2018-6952.patch |
19 | 0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch | ||
20 | 0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch | ||
20 | CVE-2019-13636.patch | 21 | CVE-2019-13636.patch |
22 | CVE-2019-13638.patch | ||
21 | " | 23 | " |
22 | builddir="$srcdir"/$pkgname-$pkgver | 24 | builddir="$srcdir"/$pkgname-$pkgver |
23 | 25 | ||
24 | # secfixes: | 26 | # secfixes: |
27 | # 2.7.6-r6: | ||
28 | # - CVE-2018-1000156 | ||
29 | # - CVE-2019-13638 | ||
25 | # 2.7.6-r5: | 30 | # 2.7.6-r5: |
26 | # - CVE-2019-13636 | 31 | # - CVE-2019-13636 |
27 | # 2.7.6-r2: | 32 | # 2.7.6-r2: |
@@ -29,8 +34,12 @@ builddir="$srcdir"/$pkgname-$pkgver | |||
29 | # 2.7.6-r4: | 34 | # 2.7.6-r4: |
30 | # - CVE-2018-6952 | 35 | # - CVE-2018-6952 |
31 | 36 | ||
37 | prepare() { | ||
38 | default_prepare | ||
39 | aclocal && autoheader && autoconf && automake --add-missing | ||
40 | } | ||
41 | |||
32 | build() { | 42 | build() { |
33 | cd "$builddir" | ||
34 | gl_cv_func_gettimeofday_clobber=no \ | 43 | gl_cv_func_gettimeofday_clobber=no \ |
35 | gl_cv_func_tzset_clobber=no \ | 44 | gl_cv_func_tzset_clobber=no \ |
36 | ./configure \ | 45 | ./configure \ |
@@ -39,13 +48,11 @@ build() { | |||
39 | --prefix=/usr \ | 48 | --prefix=/usr \ |
40 | --sysconfdir=/etc \ | 49 | --sysconfdir=/etc \ |
41 | --mandir=/usr/share/man \ | 50 | --mandir=/usr/share/man \ |
42 | --localstatedir=/var \ | 51 | --localstatedir=/var |
43 | --disable-nls | ||
44 | make | 52 | make |
45 | } | 53 | } |
46 | 54 | ||
47 | check() { | 55 | check() { |
48 | cd "$builddir" | ||
49 | make SHELL=bash check | 56 | make SHELL=bash check |
50 | } | 57 | } |
51 | 58 | ||
@@ -61,4 +68,7 @@ package() { | |||
61 | sha512sums="fcca87bdb67a88685a8a25597f9e015f5e60197b9a269fa350ae35a7991ed8da553939b4bbc7f7d3cfd863c67142af403b04165633acbce4339056a905e87fbd patch-2.7.6.tar.xz | 68 | sha512sums="fcca87bdb67a88685a8a25597f9e015f5e60197b9a269fa350ae35a7991ed8da553939b4bbc7f7d3cfd863c67142af403b04165633acbce4339056a905e87fbd patch-2.7.6.tar.xz |
62 | db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch | 69 | db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0 CVE-2018-6951.patch |
63 | 5d2eaef629bae92e5b4e5e57d140c24a73e2811306d5f2854858f846646b034d2da315071f478bcf6f8d856a065b9bb073f76322e8e3a42616bc212281ce6945 CVE-2018-6952.patch | 70 | 5d2eaef629bae92e5b4e5e57d140c24a73e2811306d5f2854858f846646b034d2da315071f478bcf6f8d856a065b9bb073f76322e8e3a42616bc212281ce6945 CVE-2018-6952.patch |
64 | 029b92bb899d0b1165cfe7f55b5a4c2d7090852f52e5c85a6bb1cf5913c914a5c68c6c34517e84f0a020a56d21814f8c18b934c8ebe059ba4eddece78a3a258c CVE-2019-13636.patch" | 71 | 33e8a82f5ee6b896fd434e7de1ca9e16e8d317941a021bea8c53afd5bf210774e8727df22f8d8f63f255de10de5a26428047bc710b033423d1e7a459cbbaf83a 0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch |
72 | d0d46e28c5fdcd5fe16826cbcf39d5a74fdf2593375d5206aa7bad759f16dbebeca3bf259239f99c13344579044a3de1000d705065cc19e917266bca6e5c0630 0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch | ||
73 | 029b92bb899d0b1165cfe7f55b5a4c2d7090852f52e5c85a6bb1cf5913c914a5c68c6c34517e84f0a020a56d21814f8c18b934c8ebe059ba4eddece78a3a258c CVE-2019-13636.patch | ||
74 | d60f8c2364fca9b73aa73b5914cfd6571d11528d13fa7703ccfa93730cbdf8a6e4c9ca04cb7d02a40d33c38075890790b490052d5217e728b0948991da937980 CVE-2019-13638.patch" | ||
diff --git a/main/patch/CVE-2019-13638.patch b/main/patch/CVE-2019-13638.patch new file mode 100644 index 0000000000..38caff628a --- /dev/null +++ b/main/patch/CVE-2019-13638.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Gruenbacher <agruen@gnu.org> | ||
3 | Date: Fri, 6 Apr 2018 19:36:15 +0200 | ||
4 | Subject: Invoke ed directly instead of using the shell | ||
5 | |||
6 | * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell | ||
7 | command to avoid quoting vulnerabilities. | ||
8 | --- | ||
9 | src/pch.c | 6 ++---- | ||
10 | 1 file changed, 2 insertions(+), 4 deletions(-) | ||
11 | |||
12 | diff --git a/src/pch.c b/src/pch.c | ||
13 | index 4fd5a05..16e001a 100644 | ||
14 | --- a/src/pch.c | ||
15 | +++ b/src/pch.c | ||
16 | @@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname, | ||
17 | *outname_needs_removal = true; | ||
18 | copy_file (inname, outname, 0, exclusive, instat.st_mode, true); | ||
19 | } | ||
20 | - sprintf (buf, "%s %s%s", editor_program, | ||
21 | - verbosity == VERBOSE ? "" : "- ", | ||
22 | - outname); | ||
23 | fflush (stdout); | ||
24 | |||
25 | pid = fork(); | ||
26 | @@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname, | ||
27 | else if (pid == 0) | ||
28 | { | ||
29 | dup2 (tmpfd, 0); | ||
30 | - execl ("/bin/sh", "sh", "-c", buf, (char *) 0); | ||
31 | + assert (outname[0] != '!' && outname[0] != '-'); | ||
32 | + execlp (editor_program, editor_program, "-", outname, (char *) NULL); | ||
33 | _exit (2); | ||
34 | } | ||
35 | else | ||
36 | -- | ||
37 | cgit v1.0-41-gc330 | ||
38 | |||