diff -Nru patch-2.7.1/debian/changelog patch-2.7.1/debian/changelog --- patch-2.7.1/debian/changelog 2015-06-22 19:33:20.000000000 +0000 +++ patch-2.7.1/debian/changelog 2018-04-10 13:56:21.000000000 +0000 @@ -1,3 +1,20 @@ +patch (2.7.1-4ubuntu2.4) trusty-security; urgency=medium + + * SECURITY UPDATE: Out-of-bounds access + - debian/patches/CVE-2016-10713.patch: fix in + src/pch.c. + - CVE-2016-10713 + * SECURITY UPDATE: Input validation vulnerability + - debian/patches/CVE-2018-1000156.patch: fix in + src/pch.c adding tests in Makefile.in, tests/ed-style. + - debian/patches/0001-Fix-ed-style-test-failure.patch: + - CVE-2018-1000156 + * SECURITY UPDATE: NULL pointer dereference + - debian/patches/CVE-2018-6951.patch: fix in src/pch.c. + - CVE-2018-6951 + + -- Leonidas S. Barbosa Mon, 09 Apr 2018 11:14:01 -0300 + patch (2.7.1-4ubuntu2.3) trusty-security; urgency=medium * SECURITY UPDATE: Denial of service via crafted patch diff -Nru patch-2.7.1/debian/patches/0001-Fix-ed-style-test-failure.patch patch-2.7.1/debian/patches/0001-Fix-ed-style-test-failure.patch --- patch-2.7.1/debian/patches/0001-Fix-ed-style-test-failure.patch 1970-01-01 00:00:00.000000000 +0000 +++ patch-2.7.1/debian/patches/0001-Fix-ed-style-test-failure.patch 2018-04-10 13:55:45.000000000 +0000 @@ -0,0 +1,27 @@ +From 458ac51a05426c1af9aa6bf1342ecf60728c19b4 Mon Sep 17 00:00:00 2001 +From: Bruno Haible +Date: Sat, 7 Apr 2018 12:34:03 +0200 +Subject: [PATCH] Fix 'ed-style' test failure. + +* tests/ed-style: Remove '?' line from expected output. +--- + tests/ed-style | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/ed-style b/tests/ed-style +index d8c0689..6b6ef9d 100644 +--- a/tests/ed-style ++++ b/tests/ed-style +@@ -31,8 +31,7 @@ r !echo bar + ,p + EOF + +-check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' < /dev/null 2> /dev/null || echo "Status: $?"' < +Date: Wed, 10 Aug 2016 00:06:41 +0200 +Subject: [PATCH] Fix out-of-bounds access to lines in a patch + +This bug can trigger with malformed patches. +* src/pch.c (pch_write_line): Avoid out-of-bounds access to +p_line[line][p_len[line] - 1] when p_len[line] is 0. +--- + src/pch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: patch-2.7.1/src/pch.c +=================================================================== +--- patch-2.7.1.orig/src/pch.c ++++ patch-2.7.1/src/pch.c +@@ -2245,7 +2245,7 @@ pfetch (lin line) + bool + pch_write_line (lin line, FILE *file) + { +- bool after_newline = p_line[line][p_len[line] - 1] == '\n'; ++ bool after_newline = (p_len[line] > 0) && (p_line[line][p_len[line] - 1] == '\n'); + if (! fwrite (p_line[line], sizeof (*p_line[line]), p_len[line], file)) + write_fatal (); + return after_newline; diff -Nru patch-2.7.1/debian/patches/CVE-2018-1000156.patch patch-2.7.1/debian/patches/CVE-2018-1000156.patch --- patch-2.7.1/debian/patches/CVE-2018-1000156.patch 1970-01-01 00:00:00.000000000 +0000 +++ patch-2.7.1/debian/patches/CVE-2018-1000156.patch 2018-04-10 14:08:57.000000000 +0000 @@ -0,0 +1,212 @@ +Backported of: + +From 123eaff0d5d1aebe128295959435b9ca5909c26d Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Fri, 6 Apr 2018 12:14:49 +0200 +Subject: [PATCH] Fix arbitrary command execution in ed-style patches + (CVE-2018-1000156) + +* src/pch.c (do_ed_script): Write ed script to a temporary file instead +of piping it to ed: this will cause ed to abort on invalid commands +instead of rejecting them and carrying on. +* tests/ed-style: New test case. +* tests/Makefile.am (TESTS): Add test case. + +--- + src/pch.c | 89 +++++++++++++++++++++++++++++++++++++++++-------------- + tests/Makefile.am | 1 + + tests/ed-style | 41 +++++++++++++++++++++++++ + 3 files changed, 108 insertions(+), 23 deletions(-) + create mode 100644 tests/ed-style + +diff --git a/src/pch.c b/src/pch.c +index 92f6269..8532d94 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -32,6 +32,7 @@ + # include + #endif + #include ++#include + + #define INITHUNKMAX 125 /* initial dynamic allocation size */ + +@@ -2357,22 +2358,28 @@ do_ed_script (char const *inname, char const *outname, + static char const editor_program[] = EDITOR_PROGRAM; + + file_offset beginning_of_this_line; +- FILE *pipefp = 0; + size_t chars_read; ++ FILE *tmpfp = 0; ++ char const *tmpname; ++ int tmpfd = -1; ++ pid_t pid; ++ ++ if (! dry_run && ! skip_rest_of_patch) ++ { ++ /* Write ed script to a temporary file. This causes ed to abort on ++ invalid commands such as when line numbers or ranges exceed the ++ number of available lines. When ed reads from a pipe, it rejects ++ invalid commands and treats the next line as a new command, which ++ can lead to arbitrary command execution. */ ++ ++ tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); ++ if (tmpfd == -1) ++ pfatal ("Can't create temporary file %s", quotearg (tmpname)); ++ tmpfp = fdopen (tmpfd, "w+b"); ++ if (! tmpfp) ++ pfatal ("Can't open stream for file %s", quotearg (tmpname)); ++ } + +- if (! dry_run && ! skip_rest_of_patch) { +- int exclusive = *outname_needs_removal ? 0 : O_EXCL; +- assert (! inerrno); +- *outname_needs_removal = true; +- copy_file (inname, outname, 0, exclusive, instat.st_mode, true); +- sprintf (buf, "%s %s%s", editor_program, +- verbosity == VERBOSE ? "" : "- ", +- outname); +- fflush (stdout); +- pipefp = popen(buf, binary_transput ? "wb" : "w"); +- if (!pipefp) +- pfatal ("Can't open pipe to %s", quotearg (buf)); +- } + for (;;) { + char ed_command_letter; + beginning_of_this_line = file_tell (pfp); +@@ -2383,14 +2390,14 @@ do_ed_script (char const *inname, char const *outname, + } + ed_command_letter = get_ed_command_letter (buf); + if (ed_command_letter) { +- if (pipefp) +- if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) ++ if (tmpfp) ++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) + write_fatal (); + if (ed_command_letter != 'd' && ed_command_letter != 's') { + p_pass_comments_through = true; + while ((chars_read = get_line ()) != 0) { +- if (pipefp) +- if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) ++ if (tmpfp) ++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) + write_fatal (); + if (chars_read == 2 && strEQ (buf, ".\n")) + break; +@@ -2403,13 +2410,49 @@ do_ed_script (char const *inname, char const *outname, + break; + } + } +- if (!pipefp) ++ if (!tmpfp) + return; +- if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0 +- || fflush (pipefp) != 0) ++ if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0 ++ || fflush (tmpfp) != 0) + write_fatal (); +- if (pclose (pipefp) != 0) +- fatal ("%s FAILED", editor_program); ++ ++ ++ if (lseek (tmpfd, 0, SEEK_SET) == -1) ++ pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); ++ ++ if (! dry_run && ! skip_rest_of_patch) { ++ int exclusive = *outname_needs_removal ? 0 : O_EXCL; ++ *outname_needs_removal = true; ++ if (inerrno != ENOENT) ++ { ++ *outname_needs_removal = true; ++ copy_file (inname, outname, 0, exclusive, instat.st_mode, true); ++ } ++ sprintf (buf, "%s %s%s", editor_program, ++ verbosity == VERBOSE ? "" : "- ", ++ outname); ++ fflush (stdout); ++ ++ pid = fork(); ++ if (pid == -1) ++ pfatal ("Can't fork"); ++ else if (pid == 0) ++ { ++ dup2 (tmpfd, 0); ++ execl ("/bin/sh", "sh", "-c", buf, (char *) 0); ++ _exit (2); ++ } ++ else ++ { ++ int wstatus; ++ if (waitpid (pid, &wstatus, 0) == -1 ++ || ! WIFEXITED (wstatus) ++ || WEXITSTATUS (wstatus) != 0) ++ fatal ("%s FAILED", editor_program); ++ } ++ } ++ ++ fclose (tmpfp); + + if (ofp) + { +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 03bd45a..21acfce 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -28,6 +28,7 @@ TESTS = \ + criss-cross \ + crlf-handling \ + dash-o-append \ ++ ed-style \ + empty-files \ + fifo \ + file-modes \ +diff --git a/tests/ed-style b/tests/ed-style +new file mode 100644 +index 0000000..d8c0689 +--- /dev/null ++++ b/tests/ed-style +@@ -0,0 +1,41 @@ ++# Copyright (C) 2018 Free Software Foundation, Inc. ++# ++# Copying and distribution of this file, with or without modification, ++# in any medium, are permitted without royalty provided the copyright ++# notice and this notice are preserved. ++ ++. $srcdir/test-lib.sh ++ ++require cat ++use_local_patch ++use_tmpdir ++ ++# ============================================================== ++ ++cat > ed1.diff < ed2.diff < /dev/null || echo "Status: $?"' < +Date: Mon, 12 Feb 2018 16:48:24 +0100 +Subject: [PATCH] Fix segfault with mangled rename patch + +http://savannah.gnu.org/bugs/?53132 +* src/pch.c (intuit_diff_type): Ensure that two filenames are specified +for renames and copies (fix the existing check). +--- + src/pch.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: patch-2.7.1/src/pch.c +=================================================================== +--- patch-2.7.1.orig/src/pch.c ++++ patch-2.7.1/src/pch.c +@@ -972,7 +972,8 @@ intuit_diff_type (bool need_header, mode + if ((pch_rename () || pch_copy ()) + && ! inname + && ! ((i == OLD || i == NEW) && +- p_name[! reverse] && ++ p_name[reverse] && p_name[! reverse] && ++ name_is_valid (p_name[reverse]) && + name_is_valid (p_name[! reverse]))) + { + say ("Cannot %s file without two valid file names\n", pch_rename () ? "rename" : "copy"); diff -Nru patch-2.7.1/debian/patches/series patch-2.7.1/debian/patches/series --- patch-2.7.1/debian/patches/series 2015-06-11 20:51:56.000000000 +0000 +++ patch-2.7.1/debian/patches/series 2018-04-10 14:09:15.000000000 +0000 @@ -8,3 +8,7 @@ CVE-2015-1196.patch CVE-2015-1395.patch CVE-2015-1396.patch +CVE-2016-10713.patch +CVE-2018-1000156.patch +CVE-2018-6951.patch +0001-Fix-ed-style-test-failure.patch