652710 – (CVE-2018-1000156) <sys-devel/patch-2.7.6-r3: arbitrary command execution (CVE-2018-1000156)

Bug 652710 (CVE-2018-1000156) - <sys-devel/patch-2.7.6-r3: arbitrary command execution (CVE-2018-1000156)

Summary: <sys-devel/patch-2.7.6-r3: arbitrary command execution (CVE-2018-1000156)

Status:	RESOLVED FIXED

Alias:	CVE-2018-1000156

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://savannah.gnu.org/bugs/index.p...
Whiteboard:	A2 [glsa+ cve]
Keywords:

Depends on:
Blocks:	647792 647794
	Show dependency tree

Reported:	2018-04-06 22:46 UTC by Sławomir Nizio
Modified:	2019-04-17 18:30 UTC (History)
CC List:	4 users (show)

See Also:
Package list:	=sys-devel/patch-2.7.6-r3
Runtime testing required:	Yes

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sławomir Nizio 2018-04-06 22:46:43 UTC

Confirmed on my system with sys-devel/patch-2.7.6-r1.

The patch application allows a patch file in the ed format to call arbitrary commands. Upstream report at $URL.

According to upstream report it has been fixed in git; probably it's about http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d but note that around this commit there are other ones that claim to avoid a potential shell injection introduced by the former, e.g.: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=ff1d3a67da1e7f7af6a760ba5f0cee70763666da .

Reproducible: Always

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2018-04-06 23:02:49 UTC

CVE-2018-1000156 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000156):
  GNU Patch version 2.7.6 contains an input validation vulnerability when
  processing patch files, specifically the EDITOR_PROGRAM invocation (using
  ed) can result in code execution. This attack appear to be exploitable via a
  patch file processed via the patch utility. This is similar to FreeBSD's
  CVE-2015-1418 however although they share a common ancestry the code bases
  have diverged over time.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2019-03-24 04:12:57 UTC

Upstream fix:

http://git.savannah.nongnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d

Comment 3 Larry the Git Cow gentoo-dev

2019-03-28 00:33:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c55ece4eee17a954740b8ecc03b1cb8ed58c123

commit 5c55ece4eee17a954740b8ecc03b1cb8ed58c123
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-03-28 00:32:30 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-28 00:33:05 +0000

    sys-devel/patch: add patches for CVE-2018-{6951,6952}, CVE-2018-1000156
    
    Bug: https://bugs.gentoo.org/647792
    Bug: https://bugs.gentoo.org/647794
    Bug: https://bugs.gentoo.org/652710
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../patch/files/patch-2.7.6-CVE-2018-1000156.patch | 150 +++++++++++++++++++++
 .../patch/files/patch-2.7.6-CVE-2018-6951.patch    |  29 ++++
 .../patch/files/patch-2.7.6-CVE-2018-6952.patch    |  30 +++++
 ...-files-to-be-missing-for-ed-style-patches.patch |  25 ++++
 sys-devel/patch/patch-2.7.6-r3.ebuild              |  40 ++++++
 5 files changed, 274 insertions(+)

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2019-04-04 22:46:25 UTC

@arches, please stabilize.

Comment 5 Agostino Sarubbo gentoo-dev

2019-04-05 20:47:34 UTC

amd64 stable

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:37:46 UTC

hppa stable

Comment 7 Mikle Kolyada (RETIRED) archtester

2019-04-07 21:38:53 UTC

arm stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:43:15 UTC

ia64 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-07 21:49:08 UTC

ppc64 stable

Comment 10 Mikle Kolyada (RETIRED) archtester

2019-04-07 21:51:26 UTC

s390 stable

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2019-04-08 02:20:00 UTC

x86 stable

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2019-04-08 06:09:11 UTC

ppc stable

Comment 13 Mikle Kolyada (RETIRED) archtester

2019-04-08 06:40:21 UTC

alpha stable

Comment 14 Mart Raudsepp gentoo-dev

2019-04-08 08:40:09 UTC

arm64 stable

Comment 15 Markus Meier gentoo-dev

2019-04-08 18:26:05 UTC

arm stable

Comment 16 Rolf Eike Beer archtester

2019-04-11 05:22:08 UTC

sparc stable

Comment 17 Mikle Kolyada (RETIRED) archtester

2019-04-11 09:47:29 UTC

m68k stable

Comment 18 Mikle Kolyada (RETIRED) archtester

2019-04-11 09:47:53 UTC

sh stable

Comment 19 Larry the Git Cow gentoo-dev

2019-04-11 09:49:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=473392c657823d46c09f4c3e7d58bdde2f60ba54

commit 473392c657823d46c09f4c3e7d58bdde2f60ba54
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2019-04-11 09:48:52 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2019-04-11 09:49:08 +0000

    sys-devel/patch: Security cleanup
    
    Bug: https://bugs.gentoo.org/652710
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 sys-devel/patch/patch-2.7.6-r2.ebuild | 36 -----------------------------------
 1 file changed, 36 deletions(-)

Comment 20 GLSAMaker/CVETool Bot gentoo-dev

2019-04-17 18:30:13 UTC

This issue was resolved and addressed in
 GLSA 201904-17 at https://security.gentoo.org/glsa/201904-17
by GLSA coordinator Aaron Bauman (b-man).