Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 01 Aug 2015 19:09:07 -0500
From: Mark Felder <>
Subject: Re: CVE-2015-1416: vulnerability in patch(1)

On Sat, Aug 1, 2015, at 17:49, Florian Weimer wrote:
> * Mark Felder:
> > Which upstream? There are a few different flavors of patch(1) out there.
> > The one in FreeBSD is a variant of Larry Wall's patch, not GNU patch.
> GNU patch is a variant of Larry Wall's patch, too.  I guess this makes
> FreeBSD (and OpenBSD?) patch and GNU patch siblings.

Aha, I see that mentioned under AUTHORS in GNU Patch's man page. This
piqued my interest, so I went down the following rabbit hole:

This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD

A quick glance shows the first parts of the vulnerability fix changes
code introduced by this commit, the actual initial import of this BSD
licensed patch to FreeBSD from DragonflyBSD.

Bitrig originally patched it here:

DragonflyBSD removed this functionality entirely here:

and then Bitrig did the same:

I checked and NetBSD patched it here:

OpenBSD's patch was here:

As for GNU patch, looking in src/inp.c shows it has diverged a lot, but
I couldn't say if that makes it invulnerable.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.