Date: Fri, 24 May 2013 00:02:09 +0200 From: dt71@gmx.com To: freebsd-current@freebsd.org Subject: Re: Bug in BSD patch Message-ID: <519E91E1.2050905@gmx.com> In-Reply-To: <519DF73E.40307@freebsd.org> References: <519DBC27.9030600@gmx.com> <519DF73E.40307@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/23/2013 13:02, Stefan Esser wrote: > Quoting from the patch(1) man page: > [...] >patch will examine either the “old” and > “new” file names or, for a non-context diff, the “index” file name, > and choose the file name with the fewest path components, the short- > est basename, and the shortest total file name length (in that > order). I did read that, got confused, and decided to put off further attempts to understand the program--manpage connection. > Your patch file example has the following file information: > > --- texi2html.pl 2012-07-09 10:54:41.000000000 +0200 > +++ /usr/local/bin/texi2html 2012-07-09 10:53:16.000000000 +0200 > > Patch will modify "texi2html.pl" in the work directory. The > other file name (/usr/local/bin/texi2html) is ignored. > > So, there is no problem with this patch, if patch works as > advertised. In that case, I see no security issues (assuming I didn't miss anything): all patch files (containing at least 1 absolute path, excluding /dev/null) would point the patch program to the work directory, provided that a manpage-conforming program is used. >> Some patch files refer to target files in the /tmp directory. >> Theoretically, this means that malicious regular users are able to >> fiddle with the patching process: by creating the target files in the >> /tmp directory, they are able to silently cause patches to apply to >> bogus files in the /tmp directory instead of the intended files in the >> port's work directory. In the extreme case, a malicious user could cause >> ports to be built without certain security patches. The user could also >> try a symlink attack. > > But it is highly unlikely, that the chunk will apply cleanly, and > thus patch will abort without changing the bogus target file, in > most cases. In which case a reject file will be written to /tmp/<insert_target_file_here>.rej, which will be -- perhaps only at the right time, as a race condition -- a symlink to /etc/<insert_important_file_here>. Unfortunately, my brief attempt at making this work failed.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?519E91E1.2050905>