Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun,  2 Aug 2015 12:39:50 -0400 (EDT)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE-2015-1416: vulnerability in patch(1)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD
> fork:
> 
> https://svnweb.freebsd.org/base?view=revision&revision=285974

> As for GNU patch, looking in src/inp.c shows it has diverged a lot, but
> I couldn't say if that makes it invulnerable.

Our feeling is that these before-the-fix shell-metacharacter mistakes:

  snprintf(buf, sizeof buf, CHECKOUT, filename);
  snprintf(lbuf, sizeof lbuf, RCSDIFF, filename);
  system(lbuf)
  system(buf)

found in
https://raw.githubusercontent.com/bitrig/bitrig/fca5402bc19431b22238f684a78757e989b8b6e7/usr.bin/patch/inp.c
are equivalent to these shell-metacharacter mistakes:

  sprintf (buf, elsewhere ? CHECKOUT : CHECKOUT_LOCKED,
           dotslash, filename);
  sprintf (lbuf, RCSDIFF, dotslash, filename);
  system (lbuf)
  system (buf)

in
http://git.savannah.gnu.org/cgit/patch.git/snapshot/patch-2.2.tar.gz

(In other words, the same mistakes occurred when providing the same
functionality with the same code structure, and three of the variable
names are identical.)

In
http://git.savannah.gnu.org/cgit/patch.git/snapshot/patch-2.3.tar.gz
is modified code in which the quote_system_arg function (i.e., not
sprintf) is used to add a filename to getbuf and diffbuf, and the
calls to system have been changed to use diffbuf and getbuf. (It is
actually "systemic" rather than "system" but this is largely
irrelevant.) We didn't find a copy of anything in between 2.2 and 2.3.
The quote_system_arg change might have been added in 2.2.5.

In other words, our current understanding is that CVE-2015-1416
applies to the vulnerability identified in all of the previously
mentioned BSD-related code, and also applies to something like "GNU
patch before 2.3" or "GNU patch before 2.2.5." The vulnerability (and
the CVE ID) can, of course, be the same even if the solution approach
is entirely different.

(There is also a somewhat similar issue addressed between 2.5 and
2.5.2/2.5.3, in which some instances of "filename" have a "quotearg
(filename)" replacement. We don't think that the established meaning
of CVE-2015-1416 is associated with those later changes.)

If there is (or ever was) an implementation error in the
quote_system_arg function, then that would have its own CVE ID,
different from CVE-2015-1416. In other words, that error would be
associated with an "incomplete fix for CVE-2015-1416." We have not yet
seen any actual report of this type of an error.

This changelog entry may be of interest:

  2010-04-20  Andreas Gruenbacher  <agruen@...e.de>

         * src/util.c (quote_system_arg): Add a replacement for
         quote_system_arg() which uses quotearg's shell quoting style.

In other words, there is a possibility that the 1997 implementation of
quote_system_arg was replaced in 2010 because it was unsafe.

The CVE project hasn't researched (and doesn't plan to research)
whether related types of shell-metacharacter mistakes affected any
version of GNU patch after 2.2.x. We are just clarifying that, for the
specific CVE ID of CVE-2015-1416, the affected GNU patch versions are
defined to be only 2.2.x and earlier.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVvkZlAAoJEKllVAevmvmsWS0H/i8An70reChmoc47vDWFydnr
VEEg2MfW/W4OusWTyuDcrj/BAUF/9skCohuIFmQTF/yD8i4ogCrmHlXoXk0/dy9h
jUVM3SKSUIrp6iPnAE9EAv6MhYChkb6mNkd2fhxIFRbjH/Eq6MEaR0DlvkNkVGlZ
tmdmNLwOdbL4xJ7cM7VTLPsfcFAId4FSlscKEndn6pFRaN7i37ToYrd51DN92tCq
jVuYdAu1qZ0ZUeI5jKdUz0TEjZEm8j66m+AJFa/wtD3FhCgW88zHo3Wlc2WHbIng
qH3IhlgNN6yyAm9YDusOA6gnY7bBjXOMXY05vHC2OCkWKEdbeUDImuiGYP0Ij4k=
=pjF4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.