From 3fd78bfab2cdb03bf9a701097e68c8ead33722a2 Mon Sep 17 00:00:00 2001 From: Xin LI Date: Wed, 5 Aug 2015 22:04:54 +0000 Subject: [PATCH] Fix shell injection vulnerability in patch(1) via ed(1) by tightening sanity check of the input. [1] While I'm there also replace ed(1) with red(1) because we do not need the unrestricted functionality. [2] Obtained from: Bitrig [1], DragonFly [2] Security: CVE-2015-1418 [1] --- usr.bin/patch/pathnames.h | 2 +- usr.bin/patch/pch.c | 18 +++++++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/usr.bin/patch/pathnames.h b/usr.bin/patch/pathnames.h index d31300ea843a..79d8faea6285 100644 --- a/usr.bin/patch/pathnames.h +++ b/usr.bin/patch/pathnames.h @@ -9,4 +9,4 @@ #include -#define _PATH_ED "/bin/ed" +#define _PATH_RED "/bin/red" diff --git a/usr.bin/patch/pch.c b/usr.bin/patch/pch.c index e731ca1f9e8f..5fadf6292f67 100644 --- a/usr.bin/patch/pch.c +++ b/usr.bin/patch/pch.c @@ -1,4 +1,3 @@ - /*- * Copyright 1986, Larry Wall * @@ -1410,13 +1409,14 @@ do_ed_script(void) char *t; off_t beginning_of_this_line; FILE *pipefp = NULL; + int continuation; if (!skip_rest_of_patch) { if (copy_file(filearg[0], TMPOUTNAME) < 0) { unlink(TMPOUTNAME); fatal("can't create temp file %s", TMPOUTNAME); } - snprintf(buf, buf_size, "%s%s%s", _PATH_ED, + snprintf(buf, buf_size, "%s%s%s", _PATH_RED, verbose ? " " : " -s ", TMPOUTNAME); pipefp = popen(buf, "w"); } @@ -1434,7 +1434,19 @@ do_ed_script(void) (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) { if (pipefp != NULL) fputs(buf, pipefp); - if (*t != 'd') { + if (*t == 's') { + for (;;) { + continuation = 0; + t = strchr(buf, '\0') - 1; + while (--t >= buf && *t == '\\') + continuation = !continuation; + if (!continuation || + pgets(true) == 0) + break; + if (pipefp != NULL) + fputs(buf, pipefp); + } + } else if (*t != 'd') { while (pgets(true)) { p_input_line++; if (pipefp != NULL)