Fix shell injection vulnerability in patch(1) via ed(1) by

tightening sanity check of the input. [1]

While I'm there also replace ed(1) with red(1) because we do
not need the unrestricted functionality. [2]

Obtained from:	Bitrig [1], DragonFly [2]
Security:	CVE-2015-1418 [1]
This commit is contained in:
delphij 2015-08-05 22:04:54 +00:00
parent 8b20bb9f26
commit 90e38dfd93
2 changed files with 16 additions and 4 deletions

View File

@ -9,4 +9,4 @@
#include <paths.h>
#define _PATH_ED "/bin/ed"
#define _PATH_RED "/bin/red"

View File

@ -1,4 +1,3 @@
/*-
* Copyright 1986, Larry Wall
*
@ -1410,13 +1409,14 @@ do_ed_script(void)
char *t;
off_t beginning_of_this_line;
FILE *pipefp = NULL;
int continuation;
if (!skip_rest_of_patch) {
if (copy_file(filearg[0], TMPOUTNAME) < 0) {
unlink(TMPOUTNAME);
fatal("can't create temp file %s", TMPOUTNAME);
}
snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
verbose ? " " : " -s ", TMPOUTNAME);
pipefp = popen(buf, "w");
}
@ -1434,7 +1434,19 @@ do_ed_script(void)
(*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) {
if (pipefp != NULL)
fputs(buf, pipefp);
if (*t != 'd') {
if (*t == 's') {
for (;;) {
continuation = 0;
t = strchr(buf, '\0') - 1;
while (--t >= buf && *t == '\\')
continuation = !continuation;
if (!continuation ||
pgets(true) == 0)
break;
if (pipefp != NULL)
fputs(buf, pipefp);
}
} else if (*t != 'd') {
while (pgets(true)) {
p_input_line++;
if (pipefp != NULL)