Date: Sat, 01 Aug 2015 19:09:07 -0500 From: Mark Felder <feld@...d.me> To: oss-security@...ts.openwall.com Subject: Re: CVE-2015-1416: vulnerability in patch(1) On Sat, Aug 1, 2015, at 17:49, Florian Weimer wrote: > * Mark Felder: > > > Which upstream? There are a few different flavors of patch(1) out there. > > The one in FreeBSD is a variant of Larry Wall's patch, not GNU patch. > > GNU patch is a variant of Larry Wall's patch, too. I guess this makes > FreeBSD (and OpenBSD?) patch and GNU patch siblings. Aha, I see that mentioned under AUTHORS in GNU Patch's man page. This piqued my interest, so I went down the following rabbit hole: This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD fork: https://svnweb.freebsd.org/base?view=revision&revision=285974 A quick glance shows the first parts of the vulnerability fix changes code introduced by this commit, the actual initial import of this BSD licensed patch to FreeBSD from DragonflyBSD. https://svnweb.freebsd.org/base?view=revision&revision=246074 Bitrig originally patched it here: https://github.com/bitrig/bitrig/commit/84c2a000b0029c3a2fcb5040855434273530e478 DragonflyBSD removed this functionality entirely here: https://github.com/DragonFlyBSD/DragonFlyBSD/commit/05172c8dd418493b9dd5ea9bf9cc684f3cf2e705 and then Bitrig did the same: https://github.com/bitrig/bitrig/commit/d457d994c202c1bd6cc1483e6e3e48f27205e587 I checked and NetBSD patched it here: http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/patch/inp.c?rev=1.24&content-type=text/x-cvsweb-markup&only_with_tag=MAIN OpenBSD's patch was here: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/inp.c?rev=188.8.131.52&content-type=text/x-cvsweb-markup As for GNU patch, looking in src/inp.c shows it has diverged a lot, but I couldn't say if that makes it invulnerable.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ