From: Andreas Gruenbacher Date: Fri, 6 Apr 2018 11:34:51 +0200 Subject: Allow input files to be missing for ed-style patches Patch-mainline: yes Git-commit: b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 References: bsc#1088420, savannah#53566, CVE-2018-1000156 * src/pch.c (do_ed_script): Allow input files to be missing so that new files will be created as with non-ed-style patches. --- src/pch.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/src/pch.c +++ b/src/pch.c @@ -2394,9 +2394,11 @@ do_ed_script (char const *inname, char c if (! dry_run && ! skip_rest_of_patch) { int exclusive = *outname_needs_removal ? 0 : O_EXCL; - assert (! inerrno); - *outname_needs_removal = true; - copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + if (inerrno != ENOENT) + { + *outname_needs_removal = true; + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } sprintf (buf, "%s %s%s", editor_program, verbosity == VERBOSE ? "" : "- ", outname); From: Andreas Gruenbacher Date: Fri, 6 Apr 2018 12:14:49 +0200 Subject: Fix arbitrary command execution in ed-style patches Patch-mainline: yes Git-commit: 123eaff0d5d1aebe128295959435b9ca5909c26d References: bsc#1088420, savannah#53566, CVE-2018-1000156 * src/pch.c (do_ed_script): Write ed script to a temporary file instead of piping it to ed: this will cause ed to abort on invalid commands instead of rejecting them and carrying on. * tests/ed-style: New test case. * tests/Makefile.am (TESTS): Add test case. --- src/pch.c | 91 +++++++++++++++++++++++++++++++++++++++--------------- tests/Makefile.am | 1 tests/ed-style | 41 ++++++++++++++++++++++++ 3 files changed, 108 insertions(+), 25 deletions(-) --- a/src/pch.c +++ b/src/pch.c @@ -33,6 +33,7 @@ # include #endif #include +#include #define INITHUNKMAX 125 /* initial dynamic allocation size */ @@ -2389,24 +2390,28 @@ do_ed_script (char const *inname, char c static char const editor_program[] = EDITOR_PROGRAM; file_offset beginning_of_this_line; - FILE *pipefp = 0; size_t chars_read; + FILE *tmpfp = 0; + char const *tmpname; + int tmpfd; + pid_t pid; + + if (! dry_run && ! skip_rest_of_patch) + { + /* Write ed script to a temporary file. This causes ed to abort on + invalid commands such as when line numbers or ranges exceed the + number of available lines. When ed reads from a pipe, it rejects + invalid commands and treats the next line as a new command, which + can lead to arbitrary command execution. */ + + tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); + if (tmpfd == -1) + pfatal ("Can't create temporary file %s", quotearg (tmpname)); + tmpfp = fdopen (tmpfd, "w+b"); + if (! tmpfp) + pfatal ("Can't open stream for file %s", quotearg (tmpname)); + } - if (! dry_run && ! skip_rest_of_patch) { - int exclusive = *outname_needs_removal ? 0 : O_EXCL; - if (inerrno != ENOENT) - { - *outname_needs_removal = true; - copy_file (inname, outname, 0, exclusive, instat.st_mode, true); - } - sprintf (buf, "%s %s%s", editor_program, - verbosity == VERBOSE ? "" : "- ", - outname); - fflush (stdout); - pipefp = popen(buf, binary_transput ? "wb" : "w"); - if (!pipefp) - pfatal ("Can't open pipe to %s", quotearg (buf)); - } for (;;) { char ed_command_letter; beginning_of_this_line = file_tell (pfp); @@ -2417,14 +2422,14 @@ do_ed_script (char const *inname, char c } ed_command_letter = get_ed_command_letter (buf); if (ed_command_letter) { - if (pipefp) - if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) + if (tmpfp) + if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) write_fatal (); if (ed_command_letter != 'd' && ed_command_letter != 's') { p_pass_comments_through = true; while ((chars_read = get_line ()) != 0) { - if (pipefp) - if (! fwrite (buf, sizeof *buf, chars_read, pipefp)) + if (tmpfp) + if (! fwrite (buf, sizeof *buf, chars_read, tmpfp)) write_fatal (); if (chars_read == 2 && strEQ (buf, ".\n")) break; @@ -2437,13 +2442,49 @@ do_ed_script (char const *inname, char c break; } } - if (!pipefp) + if (!tmpfp) return; - if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0 - || fflush (pipefp) != 0) + if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0 + || fflush (tmpfp) != 0) write_fatal (); - if (pclose (pipefp) != 0) - fatal ("%s FAILED", editor_program); + + if (lseek (tmpfd, 0, SEEK_SET) == -1) + pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); + + if (! dry_run && ! skip_rest_of_patch) { + int exclusive = *outname_needs_removal ? 0 : O_EXCL; + *outname_needs_removal = true; + if (inerrno != ENOENT) + { + *outname_needs_removal = true; + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } + sprintf (buf, "%s %s%s", editor_program, + verbosity == VERBOSE ? "" : "- ", + outname); + fflush (stdout); + + pid = fork(); + if (pid == -1) + pfatal ("Can't fork"); + else if (pid == 0) + { + dup2 (tmpfd, 0); + execl ("/bin/sh", "sh", "-c", buf, (char *) 0); + _exit (2); + } + else + { + int wstatus; + if (waitpid (pid, &wstatus, 0) == -1 + || ! WIFEXITED (wstatus) + || WEXITSTATUS (wstatus) != 0) + fatal ("%s FAILED", editor_program); + } + } + + fclose (tmpfp); + safe_unlink (tmpname); if (ofp) { --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -32,6 +32,7 @@ TESTS = \ crlf-handling \ dash-o-append \ deep-directories \ + ed-style \ empty-files \ false-match \ fifo \ --- /dev/null +++ b/tests/ed-style @@ -0,0 +1,41 @@ +# Copyright (C) 2018 Free Software Foundation, Inc. +# +# Copying and distribution of this file, with or without modification, +# in any medium, are permitted without royalty provided the copyright +# notice and this notice are preserved. + +. $srcdir/test-lib.sh + +require cat +use_local_patch +use_tmpdir + +# ============================================================== + +cat > ed1.diff < ed2.diff < /dev/null || echo "Status: $?"' < Subject: Update tests/Makefile.in Patch-mainline: no, temporary integration References: bsc#1088420, savannah#53566, CVE-2018-1000156 Previous patch modifies tests/Makefile.am. Mirror the changes to tests/Makefile.in so that we don't need automake. --- tests/Makefile.in | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/tests/Makefile.in +++ b/tests/Makefile.in @@ -1308,6 +1308,7 @@ TESTS = \ crlf-handling \ dash-o-append \ deep-directories \ + ed-style \ empty-files \ false-match \ fifo \ @@ -1638,6 +1639,13 @@ deep-directories.log: deep-directories $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ed-style.log: ed-style + @p='ed-style'; \ + b='ed-style'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) empty-files.log: empty-files @p='empty-files'; \ From: Andreas Gruenbacher Date: Fri, 6 Apr 2018 19:36:15 +0200 Subject: Invoke ed directly instead of using the shell Git-commit: 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Patch-mainline: yes References: bsc#1088420, savannah#53566, CVE-2018-1000156 * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell command to avoid quoting vulnerabilities. --- src/pch.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/src/pch.c +++ b/src/pch.c @@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char c *outname_needs_removal = true; copy_file (inname, outname, 0, exclusive, instat.st_mode, true); } - sprintf (buf, "%s %s%s", editor_program, - verbosity == VERBOSE ? "" : "- ", - outname); fflush (stdout); pid = fork(); @@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char c else if (pid == 0) { dup2 (tmpfd, 0); - execl ("/bin/sh", "sh", "-c", buf, (char *) 0); + assert (outname[0] != '!' && outname[0] != '-'); + execlp (editor_program, editor_program, "-", outname, (char *) NULL); _exit (2); } else From: Andreas Gruenbacher Date: Fri, 6 Apr 2018 20:32:46 +0200 Subject: Minor cleanups in do_ed_script Git-commit: 2a32bf09f5e9572da4be183bb0dbde8164351474 Patch-mainline: yes References: bsc#1088420, savannah#53566, CVE-2018-1000156 * src/pch.c (do_ed_script): Minor cleanups. Backporting notes: adjusted because we don't have commit ff1d3a67da1e ("Use gnulib execute module") so the context is very different. --- src/pch.c | 56 +++++++++++++++++++++++++++----------------------------- 1 file changed, 27 insertions(+), 29 deletions(-) --- a/src/pch.c +++ b/src/pch.c @@ -2395,6 +2395,8 @@ do_ed_script (char const *inname, char c char const *tmpname; int tmpfd; pid_t pid; + int exclusive = *outname_needs_removal ? 0 : O_EXCL; + if (! dry_run && ! skip_rest_of_patch) { @@ -2442,7 +2444,7 @@ do_ed_script (char const *inname, char c break; } } - if (!tmpfp) + if (dry_run || skip_rest_of_patch) return; if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0 || fflush (tmpfp) != 0) @@ -2451,35 +2453,31 @@ do_ed_script (char const *inname, char c if (lseek (tmpfd, 0, SEEK_SET) == -1) pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); - if (! dry_run && ! skip_rest_of_patch) { - int exclusive = *outname_needs_removal ? 0 : O_EXCL; + if (inerrno != ENOENT) + { *outname_needs_removal = true; - if (inerrno != ENOENT) - { - *outname_needs_removal = true; - copy_file (inname, outname, 0, exclusive, instat.st_mode, true); - } - fflush (stdout); - - pid = fork(); - if (pid == -1) - pfatal ("Can't fork"); - else if (pid == 0) - { - dup2 (tmpfd, 0); - assert (outname[0] != '!' && outname[0] != '-'); - execlp (editor_program, editor_program, "-", outname, (char *) NULL); - _exit (2); - } - else - { - int wstatus; - if (waitpid (pid, &wstatus, 0) == -1 - || ! WIFEXITED (wstatus) - || WEXITSTATUS (wstatus) != 0) - fatal ("%s FAILED", editor_program); - } - } + copy_file (inname, outname, 0, exclusive, instat.st_mode, true); + } + fflush (stdout); + + pid = fork(); + if (pid == -1) + pfatal ("Can't fork"); + else if (pid == 0) + { + dup2 (tmpfd, 0); + assert (outname[0] != '!' && outname[0] != '-'); + execlp (editor_program, editor_program, "-", outname, (char *) NULL); + _exit (2); + } + else + { + int wstatus; + if (waitpid (pid, &wstatus, 0) == -1 + || ! WIFEXITED (wstatus) + || WEXITSTATUS (wstatus) != 0) + fatal ("%s FAILED", editor_program); + } fclose (tmpfp); safe_unlink (tmpname); From: Bruno Haible Date: Sat, 7 Apr 2018 12:34:03 +0200 Subject: Fix 'ed-style' test failure Git-commit: 458ac51a05426c1af9aa6bf1342ecf60728c19b4 Patch-mainline: yes References: bsc#1088420, savannah#53566, CVE-2018-1000156 * tests/ed-style: Remove '?' line from expected output. --- tests/ed-style | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/tests/ed-style +++ b/tests/ed-style @@ -31,8 +31,7 @@ r !echo bar ,p EOF -check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' < /dev/null 2> /dev/null || echo "Status: $?"' < Date: Thu, 3 May 2018 14:31:55 +0200 Subject: Don't leak temporary file on failed ed-style patch Git-commit: 19599883ffb6a450d2884f081f8ecf68edbed7ee Patch-mainline: yes References: bsc#1092500, savannah#53820 Now that we write ed-style patches to a temporary file before we apply them, we need to ensure that the temporary file is removed before we leave, even on fatal error. * src/pch.c (do_ed_script): Use global TMPEDNAME instead of local tmpname. Don't unlink the file directly, instead tag it for removal at exit time. * src/patch.c (cleanup): Unlink TMPEDNAME at exit. This closes bug #53820: https://savannah.gnu.org/bugs/index.php?53820 Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)") --- src/common.h | 2 ++ src/patch.c | 1 + src/pch.c | 11 +++++------ 3 files changed, 8 insertions(+), 6 deletions(-) --- a/src/common.h +++ b/src/common.h @@ -94,10 +94,12 @@ XTERN char const *origsuff; XTERN char const * TMPINNAME; XTERN char const * TMPOUTNAME; XTERN char const * TMPPATNAME; +XTERN char const * TMPEDNAME; XTERN bool TMPINNAME_needs_removal; XTERN bool TMPOUTNAME_needs_removal; XTERN bool TMPPATNAME_needs_removal; +XTERN bool TMPEDNAME_needs_removal; #ifdef DEBUGGING XTERN int debug; --- a/src/patch.c +++ b/src/patch.c @@ -1999,6 +1999,7 @@ cleanup (void) remove_if_needed (TMPINNAME, &TMPINNAME_needs_removal); remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal); remove_if_needed (TMPPATNAME, &TMPPATNAME_needs_removal); + remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal); remove_if_needed (TMPREJNAME, &TMPREJNAME_needs_removal); output_files (NULL); } --- a/src/pch.c +++ b/src/pch.c @@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char c file_offset beginning_of_this_line; size_t chars_read; FILE *tmpfp = 0; - char const *tmpname; int tmpfd; pid_t pid; int exclusive = *outname_needs_removal ? 0 : O_EXCL; @@ -2406,12 +2405,13 @@ do_ed_script (char const *inname, char c invalid commands and treats the next line as a new command, which can lead to arbitrary command execution. */ - tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); + tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0); if (tmpfd == -1) - pfatal ("Can't create temporary file %s", quotearg (tmpname)); + pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME)); + TMPEDNAME_needs_removal = true; tmpfp = fdopen (tmpfd, "w+b"); if (! tmpfp) - pfatal ("Can't open stream for file %s", quotearg (tmpname)); + pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME)); } for (;;) { @@ -2451,7 +2451,7 @@ do_ed_script (char const *inname, char c write_fatal (); if (lseek (tmpfd, 0, SEEK_SET) == -1) - pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); + pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME)); if (inerrno != ENOENT) { @@ -2480,7 +2480,6 @@ do_ed_script (char const *inname, char c } fclose (tmpfp); - safe_unlink (tmpname); if (ofp) { From: Jean Delvare Date: Mon, 7 May 2018 15:14:45 +0200 Subject: Don't leak temporary file on failed multi-file ed-style patch Git-commit: 369dcccdfa6336e5a873d6d63705cfbe04c55727 Patch-mainline: yes References: bsc#1092500, savannah#53820 The previous fix worked fine with single-file ed-style patches, but would still leak temporary files in the case of multi-file ed-style patch. Fix that case as well, and extend the test case to check for it. * src/patch.c (main): Unlink TMPEDNAME if needed before moving to the next file in a patch. This closes bug #53820: https://savannah.gnu.org/bugs/index.php?53820 Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)") Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch") --- src/patch.c | 1 + tests/ed-style | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) --- a/src/patch.c +++ b/src/patch.c @@ -236,6 +236,7 @@ main (int argc, char **argv) } remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal); } + remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal); if (! skip_rest_of_patch && ! file_type) { --- a/tests/ed-style +++ b/tests/ed-style @@ -38,3 +38,34 @@ EOF check 'cat foo' < ed3.diff < baz <