Date: Sat, 01 Aug 2015 19:09:07 -0500 From: Mark Felder <feld@...d.me> To: oss-security@...ts.openwall.com Subject: Re: CVE-2015-1416: vulnerability in patch(1) On Sat, Aug 1, 2015, at 17:49, Florian Weimer wrote: > * Mark Felder: > > > Which upstream? There are a few different flavors of patch(1) out there. > > The one in FreeBSD is a variant of Larry Wall's patch, not GNU patch. > > GNU patch is a variant of Larry Wall's patch, too. I guess this makes > FreeBSD (and OpenBSD?) patch and GNU patch siblings. Aha, I see that mentioned under AUTHORS in GNU Patch's man page. This piqued my interest, so I went down the following rabbit hole: This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD fork: https://svnweb.freebsd.org/base?view=revision&revision=285974 A quick glance shows the first parts of the vulnerability fix changes code introduced by this commit, the actual initial import of this BSD licensed patch to FreeBSD from DragonflyBSD. https://svnweb.freebsd.org/base?view=revision&revision=246074 Bitrig originally patched it here: https://github.com/bitrig/bitrig/commit/84c2a000b0029c3a2fcb5040855434273530e478 DragonflyBSD removed this functionality entirely here: https://github.com/DragonFlyBSD/DragonFlyBSD/commit/05172c8dd418493b9dd5ea9bf9cc684f3cf2e705 and then Bitrig did the same: https://github.com/bitrig/bitrig/commit/d457d994c202c1bd6cc1483e6e3e48f27205e587 I checked and NetBSD patched it here: http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/patch/inp.c?rev=1.24&content-type=text/x-cvsweb-markup&only_with_tag=MAIN OpenBSD's patch was here: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/inp.c?rev=188.8.131.52&content-type=text/x-cvsweb-markup As for GNU patch, looking in src/inp.c shows it has diverged a lot, but I couldn't say if that makes it invulnerable.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.