Date: Fri, 6 Apr 2018 08:52:43 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Privsec vuln in beep / Code execution in GNU patch Hi, There was a joke webpage about a vulnerability in beep a few days ago: http://holeybeep.ninja/ There's also a corresponding Debian Advisory: https://lists.debian.org/debian-security-announce/2018/msg00089.html Neither have any technical details. CVE is CVE-2018-0492. If anyone knows the background of this please share it. However it turned out that on that joke holey beep webpage there's a patch with a hidden easter egg that's actually a vulnerability in GNU patch. GNU patch supports a legacy "ed" format for patches and that allows executing external commands. It's been reported to GNU patch now here: https://savannah.gnu.org/bugs/index.php?53566 CVE is CVE-2018-1000156. (says an anonymous commenter...) A minimal poc looks like this: --- a 2018-13-37 13:37:37.000000000 +0100 +++ b 2018-13-37 13:38:38.000000000 +0100 1337a 1,112d !id>~/pwn.lol It looks like FreeBSD and OpenBSD have fixed something alike in 2015: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ