Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun,  2 Aug 2015 12:39:50 -0400 (EDT)
Subject: Re: CVE-2015-1416: vulnerability in patch(1)

Hash: SHA256

> This fix in FreeBSD seems to have been sourced from Bitrig, the OpenBSD
> fork:

> As for GNU patch, looking in src/inp.c shows it has diverged a lot, but
> I couldn't say if that makes it invulnerable.

Our feeling is that these before-the-fix shell-metacharacter mistakes:

  snprintf(buf, sizeof buf, CHECKOUT, filename);
  snprintf(lbuf, sizeof lbuf, RCSDIFF, filename);

found in
are equivalent to these shell-metacharacter mistakes:

  sprintf (buf, elsewhere ? CHECKOUT : CHECKOUT_LOCKED,
           dotslash, filename);
  sprintf (lbuf, RCSDIFF, dotslash, filename);
  system (lbuf)
  system (buf)


(In other words, the same mistakes occurred when providing the same
functionality with the same code structure, and three of the variable
names are identical.)

is modified code in which the quote_system_arg function (i.e., not
sprintf) is used to add a filename to getbuf and diffbuf, and the
calls to system have been changed to use diffbuf and getbuf. (It is
actually "systemic" rather than "system" but this is largely
irrelevant.) We didn't find a copy of anything in between 2.2 and 2.3.
The quote_system_arg change might have been added in 2.2.5.

In other words, our current understanding is that CVE-2015-1416
applies to the vulnerability identified in all of the previously
mentioned BSD-related code, and also applies to something like "GNU
patch before 2.3" or "GNU patch before 2.2.5." The vulnerability (and
the CVE ID) can, of course, be the same even if the solution approach
is entirely different.

(There is also a somewhat similar issue addressed between 2.5 and
2.5.2/2.5.3, in which some instances of "filename" have a "quotearg
(filename)" replacement. We don't think that the established meaning
of CVE-2015-1416 is associated with those later changes.)

If there is (or ever was) an implementation error in the
quote_system_arg function, then that would have its own CVE ID,
different from CVE-2015-1416. In other words, that error would be
associated with an "incomplete fix for CVE-2015-1416." We have not yet
seen any actual report of this type of an error.

This changelog entry may be of interest:

  2010-04-20  Andreas Gruenbacher  <>

         * src/util.c (quote_system_arg): Add a replacement for
         quote_system_arg() which uses quotearg's shell quoting style.

In other words, there is a possibility that the 1997 implementation of
quote_system_arg was replaced in 2010 because it was unsafe.

The CVE project hasn't researched (and doesn't plan to research)
whether related types of shell-metacharacter mistakes affected any
version of GNU patch after 2.2.x. We are just clarifying that, for the
specific CVE ID of CVE-2015-1416, the affected GNU patch versions are
defined to be only 2.2.x and earlier.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.