Hello community, here is the log from the commit of package patch for openSUSE:Factory checked in at 2018-05-13 15:53:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/patch (Old) and /work/SRC/openSUSE:Factory/.patch.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patch" Sun May 13 15:53:43 2018 rev:43 rq:605717 version:2.7.6 Changes: -------- --- /work/SRC/openSUSE:Factory/patch/patch.changes 2018-04-22 14:42:29.814764469 +0200 +++ /work/SRC/openSUSE:Factory/.patch.new/patch.changes 2018-05-13 15:53:53.838780878 +0200 @@ -1,0 +2,8 @@ +Wed May 9 09:52:04 UTC 2018 - [email protected] + +- ed-style-07-dont-leak-tmp-file.patch, + ed-style-08-dont-leak-tmp-file-multi.patch: Fix temporary file + leak when applying ed-style patches (bsc#1092500, + savannah#53820). + +------------------------------------------------------------------- New: ---- ed-style-07-dont-leak-tmp-file.patch ed-style-08-dont-leak-tmp-file-multi.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ patch.spec ++++++ --- /var/tmp/diff_new_pack.2lLUXY/_old 2018-05-13 15:53:55.102734753 +0200 +++ /var/tmp/diff_new_pack.2lLUXY/_new 2018-05-13 15:53:55.106734607 +0200 @@ -33,6 +33,8 @@ Patch5: ed-style-04-invoke-ed-directly.patch Patch6: ed-style-05-minor-cleanups.patch Patch7: ed-style-06-fix-test-failure.patch +Patch8: ed-style-07-dont-leak-tmp-file.patch +Patch9: ed-style-08-dont-leak-tmp-file-multi.patch # See bnc#662957. The fix for CVE-2010-4651 breaks the way interdiff was # invoking patch, so interdiff had to be fixed too. Conflicts: patchutils < 0.3.2 @@ -54,6 +56,8 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 %build export CFLAGS="%{optflags} -Wall -O2 -pipe" ++++++ ed-style-07-dont-leak-tmp-file.patch ++++++ From: Jean Delvare <[email protected]> Date: Thu, 3 May 2018 14:31:55 +0200 Subject: Don't leak temporary file on failed ed-style patch Git-commit: 19599883ffb6a450d2884f081f8ecf68edbed7ee Patch-mainline: yes References: bsc#1092500, savannah#53820 Now that we write ed-style patches to a temporary file before we apply them, we need to ensure that the temporary file is removed before we leave, even on fatal error. * src/pch.c (do_ed_script): Use global TMPEDNAME instead of local tmpname. Don't unlink the file directly, instead tag it for removal at exit time. * src/patch.c (cleanup): Unlink TMPEDNAME at exit. This closes bug #53820: https://savannah.gnu.org/bugs/index.php?53820 Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)") --- src/common.h | 2 ++ src/patch.c | 1 + src/pch.c | 11 +++++------ 3 files changed, 8 insertions(+), 6 deletions(-) --- a/src/common.h +++ b/src/common.h @@ -94,10 +94,12 @@ XTERN char const *origsuff; XTERN char const * TMPINNAME; XTERN char const * TMPOUTNAME; XTERN char const * TMPPATNAME; +XTERN char const * TMPEDNAME; XTERN bool TMPINNAME_needs_removal; XTERN bool TMPOUTNAME_needs_removal; XTERN bool TMPPATNAME_needs_removal; +XTERN bool TMPEDNAME_needs_removal; #ifdef DEBUGGING XTERN int debug; --- a/src/patch.c +++ b/src/patch.c @@ -1999,6 +1999,7 @@ cleanup (void) remove_if_needed (TMPINNAME, &TMPINNAME_needs_removal); remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal); remove_if_needed (TMPPATNAME, &TMPPATNAME_needs_removal); + remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal); remove_if_needed (TMPREJNAME, &TMPREJNAME_needs_removal); output_files (NULL); } --- a/src/pch.c +++ b/src/pch.c @@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char c file_offset beginning_of_this_line; size_t chars_read; FILE *tmpfp = 0; - char const *tmpname; int tmpfd; pid_t pid; int exclusive = *outname_needs_removal ? 0 : O_EXCL; @@ -2406,12 +2405,13 @@ do_ed_script (char const *inname, char c invalid commands and treats the next line as a new command, which can lead to arbitrary command execution. */ - tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); + tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0); if (tmpfd == -1) - pfatal ("Can't create temporary file %s", quotearg (tmpname)); + pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME)); + TMPEDNAME_needs_removal = true; tmpfp = fdopen (tmpfd, "w+b"); if (! tmpfp) - pfatal ("Can't open stream for file %s", quotearg (tmpname)); + pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME)); } for (;;) { @@ -2451,7 +2451,7 @@ do_ed_script (char const *inname, char c write_fatal (); if (lseek (tmpfd, 0, SEEK_SET) == -1) - pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); + pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME)); if (inerrno != ENOENT) { @@ -2480,7 +2480,6 @@ do_ed_script (char const *inname, char c } fclose (tmpfp); - safe_unlink (tmpname); if (ofp) { ++++++ ed-style-08-dont-leak-tmp-file-multi.patch ++++++ From: Jean Delvare <[email protected]> Date: Mon, 7 May 2018 15:14:45 +0200 Subject: Don't leak temporary file on failed multi-file ed-style patch Git-commit: 369dcccdfa6336e5a873d6d63705cfbe04c55727 Patch-mainline: yes References: bsc#1092500, savannah#53820 The previous fix worked fine with single-file ed-style patches, but would still leak temporary files in the case of multi-file ed-style patch. Fix that case as well, and extend the test case to check for it. * src/patch.c (main): Unlink TMPEDNAME if needed before moving to the next file in a patch. This closes bug #53820: https://savannah.gnu.org/bugs/index.php?53820 Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)") Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch") --- src/patch.c | 1 + tests/ed-style | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) --- a/src/patch.c +++ b/src/patch.c @@ -236,6 +236,7 @@ main (int argc, char **argv) } remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal); } + remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal); if (! skip_rest_of_patch && ! file_type) { --- a/tests/ed-style +++ b/tests/ed-style @@ -38,3 +38,34 @@ EOF check 'cat foo' <<EOF foo EOF + +# Test the case where one ed-style patch modifies several files + +cat > ed3.diff <<EOF +--- foo ++++ foo +1c +bar +. +--- baz ++++ baz +0a +baz +. +EOF + +# Apparently we can't create a file with such a patch, while it works fine +# when the file name is provided on the command line +cat > baz <<EOF +EOF + +check 'patch -e -i ed3.diff' <<EOF +EOF + +check 'cat foo' <<EOF +bar +EOF + +check 'cat baz' <<EOF +baz +EOF
