Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 652710 (CVE-2018-1000156) - <sys-devel/patch-2.7.6-r3: arbitrary command execution (CVE-2018-1000156)
Summary: <sys-devel/patch-2.7.6-r3: arbitrary command execution (CVE-2018-1000156)
Status: RESOLVED FIXED
Alias: CVE-2018-1000156
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://savannah.gnu.org/bugs/index.p...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks: 647792 647794
  Show dependency tree
 
Reported: 2018-04-06 22:46 UTC by Sławomir Nizio
Modified: 2019-04-17 18:30 UTC (History)
4 users (show)

See Also:
Package list:
=sys-devel/patch-2.7.6-r3
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sławomir Nizio 2018-04-06 22:46:43 UTC
Confirmed on my system with sys-devel/patch-2.7.6-r1.

The patch application allows a patch file in the ed format to call arbitrary commands. Upstream report at $URL.

According to upstream report it has been fixed in git; probably it's about http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d but note that around this commit there are other ones that claim to avoid a potential shell injection introduced by the former, e.g.: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=ff1d3a67da1e7f7af6a760ba5f0cee70763666da .

Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2018-04-06 23:02:49 UTC
CVE-2018-1000156 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000156):
  GNU Patch version 2.7.6 contains an input validation vulnerability when
  processing patch files, specifically the EDITOR_PROGRAM invocation (using
  ed) can result in code execution. This attack appear to be exploitable via a
  patch file processed via the patch utility. This is similar to FreeBSD's
  CVE-2015-1418 however although they share a common ancestry the code bases
  have diverged over time.
Comment 3 Larry the Git Cow gentoo-dev 2019-03-28 00:33:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c55ece4eee17a954740b8ecc03b1cb8ed58c123

commit 5c55ece4eee17a954740b8ecc03b1cb8ed58c123
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-03-28 00:32:30 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-28 00:33:05 +0000

    sys-devel/patch: add patches for CVE-2018-{6951,6952}, CVE-2018-1000156
    
    Bug: https://bugs.gentoo.org/647792
    Bug: https://bugs.gentoo.org/647794
    Bug: https://bugs.gentoo.org/652710
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../patch/files/patch-2.7.6-CVE-2018-1000156.patch | 150 +++++++++++++++++++++
 .../patch/files/patch-2.7.6-CVE-2018-6951.patch    |  29 ++++
 .../patch/files/patch-2.7.6-CVE-2018-6952.patch    |  30 +++++
 ...-files-to-be-missing-for-ed-style-patches.patch |  25 ++++
 sys-devel/patch/patch-2.7.6-r3.ebuild              |  40 ++++++
 5 files changed, 274 insertions(+)
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-04 22:46:25 UTC
@arches, please stabilize.
Comment 5 Agostino Sarubbo gentoo-dev 2019-04-05 20:47:34 UTC
amd64 stable
Comment 6 Sergei Trofimovich gentoo-dev 2019-04-07 21:37:46 UTC
hppa stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 21:38:53 UTC
arm stable
Comment 8 Sergei Trofimovich gentoo-dev 2019-04-07 21:43:15 UTC
ia64 stable
Comment 9 Sergei Trofimovich gentoo-dev 2019-04-07 21:49:08 UTC
ppc64 stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 21:51:26 UTC
s390 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2019-04-08 02:20:00 UTC
x86 stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-04-08 06:09:11 UTC
ppc stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-08 06:40:21 UTC
alpha stable
Comment 14 Mart Raudsepp gentoo-dev 2019-04-08 08:40:09 UTC
arm64 stable
Comment 15 Markus Meier gentoo-dev 2019-04-08 18:26:05 UTC
arm stable
Comment 16 Rolf Eike Beer 2019-04-11 05:22:08 UTC
sparc stable
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-11 09:47:29 UTC
m68k stable
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-11 09:47:53 UTC
sh stable
Comment 19 Larry the Git Cow gentoo-dev 2019-04-11 09:49:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=473392c657823d46c09f4c3e7d58bdde2f60ba54

commit 473392c657823d46c09f4c3e7d58bdde2f60ba54
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2019-04-11 09:48:52 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2019-04-11 09:49:08 +0000

    sys-devel/patch: Security cleanup
    
    Bug: https://bugs.gentoo.org/652710
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 sys-devel/patch/patch-2.7.6-r2.ebuild | 36 -----------------------------------
 1 file changed, 36 deletions(-)
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2019-04-17 18:30:13 UTC
This issue was resolved and addressed in
 GLSA 201904-17 at https://security.gentoo.org/glsa/201904-17
by GLSA coordinator Aaron Bauman (b-man).