Hello community, here is the log from the commit of package patch for openSUSE:Factory checked in at 2018-04-22 14:42:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/patch (Old) and /work/SRC/openSUSE:Factory/.patch.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patch" Sun Apr 22 14:42:28 2018 rev:42 rq:597758 version:2.7.6 Changes: -------- --- /work/SRC/openSUSE:Factory/patch/patch.changes 2018-03-30 11:55:15.032143755 +0200 +++ /work/SRC/openSUSE:Factory/.patch.new/patch.changes 2018-04-22 14:42:29.814764469 +0200 @@ -1,0 +2,20 @@ +Wed Apr 18 11:16:34 CEST 2018 - [email protected] + +- Add ed as BuildRequires so ed-style patches can be checked by + the test suite. + +------------------------------------------------------------------- +Wed Apr 18 08:53:00 UTC 2018 - [email protected] + +Fix CVE-2018-1000156 (bsc#1088420, savannah#53566). +- ed-style-01-missing-input-files.patch: Allow input files to be + missing for ed-style patches. +- ed-style-02-fix-arbitrary-command-execution.patch, + ed-style-03-update-test-Makefile.patch: Fix arbitrary command + execution in ed-style patches. +- ed-style-04-invoke-ed-directly.patch: Invoke ed directly instead + of using the shell. +- ed-style-05-minor-cleanups.patch: Minor cleanups in do_ed_script. +- ed-style-06-fix-test-failure.patch: Fix 'ed-style' test failure. + +------------------------------------------------------------------- New: ---- ed-style-01-missing-input-files.patch ed-style-02-fix-arbitrary-command-execution.patch ed-style-03-update-test-Makefile.patch ed-style-04-invoke-ed-directly.patch ed-style-05-minor-cleanups.patch ed-style-06-fix-test-failure.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ patch.spec ++++++ --- /var/tmp/diff_new_pack.jQWbB2/_old 2018-04-22 14:42:30.450741458 +0200 +++ /var/tmp/diff_new_pack.jQWbB2/_new 2018-04-22 14:42:30.450741458 +0200 @@ -27,9 +27,16 @@ Source2: http://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.xz.sig Source3: http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=patch&download=1#/patch.keyring Patch1: fix-segfault-mangled-rename.patch +Patch2: ed-style-01-missing-input-files.patch +Patch3: ed-style-02-fix-arbitrary-command-execution.patch +Patch4: ed-style-03-update-test-Makefile.patch +Patch5: ed-style-04-invoke-ed-directly.patch +Patch6: ed-style-05-minor-cleanups.patch +Patch7: ed-style-06-fix-test-failure.patch # See bnc#662957. The fix for CVE-2010-4651 breaks the way interdiff was # invoking patch, so interdiff had to be fixed too. Conflicts: patchutils < 0.3.2 +BuildRequires: ed %if 0%{?suse_version} < 1220 BuildRequires: xz %endif @@ -41,6 +48,12 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build export CFLAGS="%{optflags} -Wall -O2 -pipe" @@ -55,11 +68,7 @@ %files %doc AUTHORS NEWS README -%if 0%{?suse_version} >= 1500 %license COPYING -%else -%doc COPYING -%endif %{_bindir}/patch %{_mandir}/man1/patch.1%{ext_man} ++++++ ed-style-01-missing-input-files.patch ++++++ From: Andreas Gruenbacher <[email protected]> Date: Fri, 6 Apr 2018 11:34:51 +0200 Subject: Allow input files to be missing for ed-style patches Patch-mainline: yes Git-commit: b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 References: bsc#1088420, savannah#53566, CVE-2018-1000156 * src/pch.c (do_ed_script): Allow input files to be missing so that new files will be created as with non-ed-style patches. --- src/pch.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/src/pch.c +++ b/src/pch.c @@ -2394,9 +2394,11 @@ do_ed_script (char const *inname, char c if (! dry_run && ! skip_rest_of_patch) { int exclusive = *outname_needs_removal ? 0 : O_EXCL; - assert (! inerrno); - *outname_needs_removal = true; - copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + if (inerrno != ENOENT) + { + *outname_needs_removal = true; + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } sprintf (buf, "%s %s%s", editor_program, verbosity == VERBOSE ? "" : "- ", outname); ++++++ ed-style-02-fix-arbitrary-command-execution.patch ++++++ From: Andreas Gruenbacher <[email protected]> Date: Fri, 6 Apr 2018 12:14:49 +0200 Subject: Fix arbitrary command execution in ed-style patches Patch-mainline: yes Git-commit: 123eaff0d5d1aebe128295959435b9ca5909c26d References: bsc#1088420, savannah#53566, CVE-2018-1000156 * src/pch.c (do_ed_script): Write ed script to a temporary file instead of piping it to ed: this will cause ed to abort on invalid commands instead of rejecting them and carrying on. * tests/ed-style: New test case. * tests/Makefile.am (TESTS): Add test case. --- src/pch.c | 91 +++++++++++++++++++++++++++++++++++++++--------------- tests/Makefile.am | 1 tests/ed-style | 41 ++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 25 deletions(-) --- a/src/pch.c +++ b/src/pch.c @@ -33,6 +33,7 @@ # include <io.h> #endif #include <safe.h> +#include <sys/wait.h> #define INITHUNKMAX 125 /* initial dynamic allocation size */ @@ -2389,24 +2390,28 @@ do_ed_script (char const *inname, char c static char const editor_program[] = EDITOR_PROGRAM; file_offset beginning_of_this_line; - FILE *pipefp = 0; size_t chars_read; + FILE *tmpfp = 0; + char const *tmpname; + int tmpfd; + pid_t pid; + + if (! dry_run && ! skip_rest_of_patch) + { + /* Write ed script to a temporary file. This causes ed to abort on + invalid commands such as when line numbers or ranges exceed the + number of available lines. When ed reads from a pipe, it rejects + invalid commands and treats the next line as a new command, which + can lead to arbitrary command execution. */ + + tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); + if (tmpfd == -1) + pfatal ("Can't create temporary file %s", quotearg (tmpname)); + tmpfp = fdopen (tmpfd, "w+b"); + if (! tmpfp) + pfatal ("Can't open stream for file %s", quotearg (tmpname)); + } - if (! dry_run && ! skip_rest_of_patch) { - int exclusive = *outname_needs_removal ? 0 : O_EXCL; - if (inerrno != ENOENT) - { - *outname_needs_removal = true; - copy_file (inname, outname, 0, exclusive, instat.st_mode, true); - } - sprintf (buf, "%s %s%s", editor_program, - verbosity == VERBOSE ? "" : "- ", - outname); - fflush (stdout); - pipefp = popen(buf, binary_transput ? "wb" : "w"); - if (!pipefp) - pfatal ("Can't open pipe to %s", quotearg (buf)); - } for (;;) { char ed_command_letter; beginning_of_this_line = file_tell (pfp); @@ -2417,14 +2422,14 @@ do_ed_script (char const *inname, char c } ed_command_letter = get_ed_command_letter (buf); if (ed_command_letter) { - if (pipefp) - if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) + if (tmpfp) + if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) write_fatal (); if (ed_command_letter != 'd' && ed_command_letter != 's') { p_pass_comments_through = true; while ((chars_read = get_line ()) != 0) { - if (pipefp) - if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) + if (tmpfp) + if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) write_fatal (); if (chars_read == 2 && strEQ (buf, ".\n")) break; @@ -2437,13 +2442,49 @@ do_ed_script (char const *inname, char c break; } } - if (!pipefp) + if (!tmpfp) return; - if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0 - || fflush (pipefp) != 0) + if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0 + || fflush (tmpfp) != 0) write_fatal (); - if (pclose (pipefp) != 0) - fatal ("%s FAILED", editor_program); + + if (lseek (tmpfd, 0, SEEK_SET) == -1) + pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); + + if (! dry_run && ! skip_rest_of_patch) { + int exclusive = *outname_needs_removal ? 0 : O_EXCL; + *outname_needs_removal = true; + if (inerrno != ENOENT) + { + *outname_needs_removal = true; + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } + sprintf (buf, "%s %s%s", editor_program, + verbosity == VERBOSE ? "" : "- ", + outname); + fflush (stdout); + + pid = fork(); + if (pid == -1) + pfatal ("Can't fork"); + else if (pid == 0) + { + dup2 (tmpfd, 0); + execl ("/bin/sh", "sh", "-c", buf, (char *) 0); + _exit (2); + } + else + { + int wstatus; + if (waitpid (pid, &wstatus, 0) == -1 + || ! WIFEXITED (wstatus) + || WEXITSTATUS (wstatus) != 0) + fatal ("%s FAILED", editor_program); + } + } + + fclose (tmpfp); + safe_unlink (tmpname); if (ofp) { --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -32,6 +32,7 @@ TESTS = \ crlf-handling \ dash-o-append \ deep-directories \ + ed-style \ empty-files \ false-match \ fifo \ --- /dev/null +++ b/tests/ed-style @@ -0,0 +1,41 @@ +# Copyright (C) 2018 Free Software Foundation, Inc. +# +# Copying and distribution of this file, with or without modification, +# in any medium, are permitted without royalty provided the copyright +# notice and this notice are preserved. + +. $srcdir/test-lib.sh + +require cat +use_local_patch +use_tmpdir + +# ============================================================== + +cat > ed1.diff <<EOF +0a +foo +. +EOF + +check 'patch -e foo -i ed1.diff' <<EOF +EOF + +check 'cat foo' <<EOF +foo +EOF + +cat > ed2.diff <<EOF +1337a +r !echo bar +,p +EOF + +check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF +? +Status: 2 +EOF + +check 'cat foo' <<EOF +foo +EOF ++++++ ed-style-03-update-test-Makefile.patch ++++++ From: Jean Delvare <[email protected]> Subject: Update tests/Makefile.in Patch-mainline: no, temporary integration References: bsc#1088420, savannah#53566, CVE-2018-1000156 Previous patch modifies tests/Makefile.am. Mirror the changes to tests/Makefile.in so that we don't need automake. --- tests/Makefile.in | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/tests/Makefile.in +++ b/tests/Makefile.in @@ -1308,6 +1308,7 @@ TESTS = \ crlf-handling \ dash-o-append \ deep-directories \ + ed-style \ empty-files \ false-match \ fifo \ @@ -1638,6 +1639,13 @@ deep-directories.log: deep-directories $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ed-style.log: ed-style + @p='ed-style'; \ + b='ed-style'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) empty-files.log: empty-files @p='empty-files'; \ ++++++ ed-style-04-invoke-ed-directly.patch ++++++ From: Andreas Gruenbacher <[email protected]> Date: Fri, 6 Apr 2018 19:36:15 +0200 Subject: Invoke ed directly instead of using the shell Git-commit: 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Patch-mainline: yes References: bsc#1088420, savannah#53566, CVE-2018-1000156 * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell command to avoid quoting vulnerabilities. --- src/pch.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/src/pch.c +++ b/src/pch.c @@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char c *outname_needs_removal = true; copy_file (inname, outname, 0, exclusive, instat.st_mode, true); } - sprintf (buf, "%s %s%s", editor_program, - verbosity == VERBOSE ? "" : "- ", - outname); fflush (stdout); pid = fork(); @@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char c else if (pid == 0) { dup2 (tmpfd, 0); - execl ("/bin/sh", "sh", "-c", buf, (char *) 0); + assert (outname[0] != '!' && outname[0] != '-'); + execlp (editor_program, editor_program, "-", outname, (char *) NULL); _exit (2); } else ++++++ ed-style-05-minor-cleanups.patch ++++++ From: Andreas Gruenbacher <[email protected]> Date: Fri, 6 Apr 2018 20:32:46 +0200 Subject: Minor cleanups in do_ed_script Git-commit: 2a32bf09f5e9572da4be183bb0dbde8164351474 Patch-mainline: yes References: bsc#1088420, savannah#53566, CVE-2018-1000156 * src/pch.c (do_ed_script): Minor cleanups. Backporting notes: adjusted because we don't have commit ff1d3a67da1e ("Use gnulib execute module") so the context is very different. --- src/pch.c | 56 +++++++++++++++++++++++++++----------------------------- 1 file changed, 27 insertions(+), 29 deletions(-) --- a/src/pch.c +++ b/src/pch.c @@ -2395,6 +2395,8 @@ do_ed_script (char const *inname, char c char const *tmpname; int tmpfd; pid_t pid; + int exclusive = *outname_needs_removal ? 0 : O_EXCL; + if (! dry_run && ! skip_rest_of_patch) { @@ -2442,7 +2444,7 @@ do_ed_script (char const *inname, char c break; } } - if (!tmpfp) + if (dry_run || skip_rest_of_patch) return; if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0 || fflush (tmpfp) != 0) @@ -2451,35 +2453,31 @@ do_ed_script (char const *inname, char c if (lseek (tmpfd, 0, SEEK_SET) == -1) pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); - if (! dry_run && ! skip_rest_of_patch) { - int exclusive = *outname_needs_removal ? 0 : O_EXCL; + if (inerrno != ENOENT) + { *outname_needs_removal = true; - if (inerrno != ENOENT) - { - *outname_needs_removal = true; - copy_file (inname, outname, 0, exclusive, instat.st_mode, true); - } - fflush (stdout); - - pid = fork(); - if (pid == -1) - pfatal ("Can't fork"); - else if (pid == 0) - { - dup2 (tmpfd, 0); - assert (outname[0] != '!' && outname[0] != '-'); - execlp (editor_program, editor_program, "-", outname, (char *) NULL); - _exit (2); - } - else - { - int wstatus; - if (waitpid (pid, &wstatus, 0) == -1 - || ! WIFEXITED (wstatus) - || WEXITSTATUS (wstatus) != 0) - fatal ("%s FAILED", editor_program); - } - } + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } + fflush (stdout); + + pid = fork(); + if (pid == -1) + pfatal ("Can't fork"); + else if (pid == 0) + { + dup2 (tmpfd, 0); + assert (outname[0] != '!' && outname[0] != '-'); + execlp (editor_program, editor_program, "-", outname, (char *) NULL); + _exit (2); + } + else + { + int wstatus; + if (waitpid (pid, &wstatus, 0) == -1 + || ! WIFEXITED (wstatus) + || WEXITSTATUS (wstatus) != 0) + fatal ("%s FAILED", editor_program); + } fclose (tmpfp); safe_unlink (tmpname); ++++++ ed-style-06-fix-test-failure.patch ++++++ From: Bruno Haible <[email protected]> Date: Sat, 7 Apr 2018 12:34:03 +0200 Subject: Fix 'ed-style' test failure Git-commit: 458ac51a05426c1af9aa6bf1342ecf60728c19b4 Patch-mainline: yes References: bsc#1088420, savannah#53566, CVE-2018-1000156 * tests/ed-style: Remove '?' line from expected output. --- tests/ed-style | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/tests/ed-style +++ b/tests/ed-style @@ -31,8 +31,7 @@ r !echo bar ,p EOF -check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF -? +check 'patch -e foo -i ed2.diff > /dev/null 2> /dev/null || echo "Status: $?"' <<EOF Status: 2 EOF
