Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 01 Aug 2015 19:09:07 -0500
From: Mark Felder <feld@...d.me>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2015-1416: vulnerability in patch(1)



On Sat, Aug 1, 2015, at 17:49, Florian Weimer wrote:
> * Mark Felder:
> 
> > Which upstream? There are a few different flavors of patch(1) out there.
> > The one in FreeBSD is a variant of Larry Wall's patch, not GNU patch.
> 
> GNU patch is a variant of Larry Wall's patch, too.  I guess this makes
> FreeBSD (and OpenBSD?) patch and GNU patch siblings.

Aha, I see that mentioned under AUTHORS in GNU Patch's man page. This
piqued my interest, so I went down the following rabbit hole:

This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD
fork:

https://svnweb.freebsd.org/base?view=revision&revision=285974

A quick glance shows the first parts of the vulnerability fix changes
code introduced by this commit, the actual initial import of this BSD
licensed patch to FreeBSD from DragonflyBSD. 

https://svnweb.freebsd.org/base?view=revision&revision=246074

Bitrig originally patched it here:

https://github.com/bitrig/bitrig/commit/84c2a000b0029c3a2fcb5040855434273530e478

DragonflyBSD removed this functionality entirely here:

https://github.com/DragonFlyBSD/DragonFlyBSD/commit/05172c8dd418493b9dd5ea9bf9cc684f3cf2e705

and then Bitrig did the same:

https://github.com/bitrig/bitrig/commit/d457d994c202c1bd6cc1483e6e3e48f27205e587

I checked and NetBSD patched it here:

http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/patch/inp.c?rev=1.24&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

OpenBSD's patch was here:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/inp.c?rev=1.37.6.1&content-type=text/x-cvsweb-markup

As for GNU patch, looking in src/inp.c shows it has diverged a lot, but
I couldn't say if that makes it invulnerable.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ