Date: Sun, 2 Aug 2015 12:39:50 -0400 (EDT) From: cve-assign@...re.org To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE-2015-1416: vulnerability in patch(1) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD > fork: > > https://svnweb.freebsd.org/base?view=revision&revision=285974 > As for GNU patch, looking in src/inp.c shows it has diverged a lot, but > I couldn't say if that makes it invulnerable. Our feeling is that these before-the-fix shell-metacharacter mistakes: snprintf(buf, sizeof buf, CHECKOUT, filename); snprintf(lbuf, sizeof lbuf, RCSDIFF, filename); system(lbuf) system(buf) found in https://raw.githubusercontent.com/bitrig/bitrig/fca5402bc19431b22238f684a78757e989b8b6e7/usr.bin/patch/inp.c are equivalent to these shell-metacharacter mistakes: sprintf (buf, elsewhere ? CHECKOUT : CHECKOUT_LOCKED, dotslash, filename); sprintf (lbuf, RCSDIFF, dotslash, filename); system (lbuf) system (buf) in http://git.savannah.gnu.org/cgit/patch.git/snapshot/patch-2.2.tar.gz (In other words, the same mistakes occurred when providing the same functionality with the same code structure, and three of the variable names are identical.) In http://git.savannah.gnu.org/cgit/patch.git/snapshot/patch-2.3.tar.gz is modified code in which the quote_system_arg function (i.e., not sprintf) is used to add a filename to getbuf and diffbuf, and the calls to system have been changed to use diffbuf and getbuf. (It is actually "systemic" rather than "system" but this is largely irrelevant.) We didn't find a copy of anything in between 2.2 and 2.3. The quote_system_arg change might have been added in 2.2.5. In other words, our current understanding is that CVE-2015-1416 applies to the vulnerability identified in all of the previously mentioned BSD-related code, and also applies to something like "GNU patch before 2.3" or "GNU patch before 2.2.5." The vulnerability (and the CVE ID) can, of course, be the same even if the solution approach is entirely different. (There is also a somewhat similar issue addressed between 2.5 and 2.5.2/2.5.3, in which some instances of "filename" have a "quotearg (filename)" replacement. We don't think that the established meaning of CVE-2015-1416 is associated with those later changes.) If there is (or ever was) an implementation error in the quote_system_arg function, then that would have its own CVE ID, different from CVE-2015-1416. In other words, that error would be associated with an "incomplete fix for CVE-2015-1416." We have not yet seen any actual report of this type of an error. This changelog entry may be of interest: 2010-04-20 Andreas Gruenbacher <agruen@...e.de> * src/util.c (quote_system_arg): Add a replacement for quote_system_arg() which uses quotearg's shell quoting style. In other words, there is a possibility that the 1997 implementation of quote_system_arg was replaced in 2010 because it was unsafe. The CVE project hasn't researched (and doesn't plan to research) whether related types of shell-metacharacter mistakes affected any version of GNU patch after 2.2.x. We are just clarifying that, for the specific CVE ID of CVE-2015-1416, the affected GNU patch versions are defined to be only 2.2.x and earlier. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVvkZlAAoJEKllVAevmvmsWS0H/i8An70reChmoc47vDWFydnr VEEg2MfW/W4OusWTyuDcrj/BAUF/9skCohuIFmQTF/yD8i4ogCrmHlXoXk0/dy9h jUVM3SKSUIrp6iPnAE9EAv6MhYChkb6mNkd2fhxIFRbjH/Eq6MEaR0DlvkNkVGlZ tmdmNLwOdbL4xJ7cM7VTLPsfcFAId4FSlscKEndn6pFRaN7i37ToYrd51DN92tCq jVuYdAu1qZ0ZUeI5jKdUz0TEjZEm8j66m+AJFa/wtD3FhCgW88zHo3Wlc2WHbIng qH3IhlgNN6yyAm9YDusOA6gnY7bBjXOMXY05vHC2OCkWKEdbeUDImuiGYP0Ij4k= =pjF4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.