Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1438474147.2191174.345323673.28F8B482@webmail.messagingengine.com>
Date: Sat, 01 Aug 2015 19:09:07 -0500
From: Mark Felder <feld@...d.me>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2015-1416: vulnerability in patch(1)



On Sat, Aug 1, 2015, at 17:49, Florian Weimer wrote:
> * Mark Felder:
> 
> > Which upstream? There are a few different flavors of patch(1) out there.
> > The one in FreeBSD is a variant of Larry Wall's patch, not GNU patch.
> 
> GNU patch is a variant of Larry Wall's patch, too.  I guess this makes
> FreeBSD (and OpenBSD?) patch and GNU patch siblings.

Aha, I see that mentioned under AUTHORS in GNU Patch's man page. This
piqued my interest, so I went down the following rabbit hole:

This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD
fork:

https://svnweb.freebsd.org/base?view=revision&revision=285974

A quick glance shows the first parts of the vulnerability fix changes
code introduced by this commit, the actual initial import of this BSD
licensed patch to FreeBSD from DragonflyBSD. 

https://svnweb.freebsd.org/base?view=revision&revision=246074

Bitrig originally patched it here:

https://github.com/bitrig/bitrig/commit/84c2a000b0029c3a2fcb5040855434273530e478

DragonflyBSD removed this functionality entirely here:

https://github.com/DragonFlyBSD/DragonFlyBSD/commit/05172c8dd418493b9dd5ea9bf9cc684f3cf2e705

and then Bitrig did the same:

https://github.com/bitrig/bitrig/commit/d457d994c202c1bd6cc1483e6e3e48f27205e587

I checked and NetBSD patched it here:

http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/patch/inp.c?rev=1.24&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

OpenBSD's patch was here:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/patch/inp.c?rev=1.37.6.1&content-type=text/x-cvsweb-markup

As for GNU patch, looking in src/inp.c shows it has diverged a lot, but
I couldn't say if that makes it invulnerable.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.