Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87jywpibmv.fsf@gentoo.org>
Date: Sat, 07 Feb 2026 01:30:00 +0000
From: Sam James <sam@...too.org>
To: oss-security@...ts.openwall.com
Cc: Florian Weimer <fw@...eb.enyo.de>
Subject: On patch vs commit messages

Hi!

I don't think I view this as a vulnerability, but I think the topic is
rather interesting and it seems like the audience here might be
interested in it and/or take another view on whether it is a problem.

Michael Stapelberg posted on Mastodon [0] the following:
> PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
>
> Like https://github.com/i3/i3/pull/6564 for example
>
> Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
>
> This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.

I see Florian has sent a patch to patch(1) for this, to implement
--no-dedent [1].

But git-am(1) does the same: there's also a discussion ongoing over at
the git mailing list [2].

I think at the very least, this is rather surprising. I've run into it a
handful of times when applying a patch to gentoo.git where the commit
message includes some diff that someone used for debugging, but in those
cases, the diff was always to file(s) not in the repository (but a patch
to be applied to the *package*'s source code), hence it was just an
annoyance and resulted in the patch just not applying.

(Similarly, it does remind me a little of how patch fuzz can lead to
genuine problems and is often dismissed as noise, but e.g. you could
easily get a double free from it. A patch applying is not always a good thing.)

[0] https://mas.to/@zekjur/116022397626943871
[1] https://lists.gnu.org/archive/html/bug-patch/2026-02/msg00000.html
[2]
https://lore.kernel.org/git/bcqvh7ahjjgzpgxwnr4kh3hfkksfruf54refyry3ha7qk7dldf@fij5calmscvm/

anyway, I hope this is of some value to readers,
sam

Download attachment "signature.asc" of type "application/pgp-signature" (419 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.