Fix shell injection vulnerability in patch(1) via ed(1) by

tightening sanity check of the input. [1] While I'm there also replace ed(1) with red(1) because we do not need the unrestricted functionality. [2] Obtained from: Bitrig [1], DragonFly [2] Security: CVE-2015-1418 [1]
svn path=/head/; revision=286346
2015-08-05 22:04:54 +00:00 · 2015-08-05 22:04:54 +00:00 · 3fd78bfab2 · 2020-12-20 02:59:44 +00:00
commit 3fd78bfab2
parent f2a20b166a
2 changed files with 16 additions and 4 deletions
--- a/usr.bin/patch/pathnames.h
+++ b/usr.bin/patch/pathnames.h
@ -9,4 +9,4 @@

 #include <paths.h>

-#define	_PATH_ED		"/bin/ed"
+#define	_PATH_RED		"/bin/red"
--- a/usr.bin/patch/pch.c
+++ b/usr.bin/patch/pch.c
@ -1,4 +1,3 @@
-
 /*-
 * Copyright 1986, Larry Wall
 * 
@ -1410,13 +1409,14 @@ do_ed_script(void)
 	char	*t;
 	off_t	beginning_of_this_line;
 	FILE	*pipefp = NULL;
+	int	continuation;

 	if (!skip_rest_of_patch) {
 		if (copy_file(filearg[0], TMPOUTNAME) < 0) {
 			unlink(TMPOUTNAME);
 			fatal("can't create temp file %s", TMPOUTNAME);
 		}
-		snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
+		snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
 		    verbose ? " " : " -s ", TMPOUTNAME);
 		pipefp = popen(buf, "w");
 	}
@ -1434,7 +1434,19 @@ do_ed_script(void)
 		    (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) {
 			if (pipefp != NULL)
 				fputs(buf, pipefp);
-			if (*t != 'd') {
+			if (*t == 's') {
+				for (;;) {
+					continuation = 0;
+					t = strchr(buf, '\0') - 1;
+					while (--t >= buf && *t == '\\')
+						continuation = !continuation;
+					if (!continuation ||
+					    pgets(true) == 0)
+						break;
+					if (pipefp != NULL)
+						fputs(buf, pipefp);
+				}
+			} else if (*t != 'd') {
 				while (pgets(true)) {
 					p_input_line++;
 					if (pipefp != NULL)