Re: Bug in BSD patch

From: <dt71_at_gmx.com> Date: Fri, 24 May 2013 00:02:09 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:38 UTC

On 05/23/2013 13:02, Stefan Esser wrote:
> Quoting from the patch(1) man page:
> [...]
>patch will examine either the “old” and
>     “new” file names or, for a non-context diff, the “index” file name,
>     and choose the file name with the fewest path components, the short-
>     est basename, and the shortest total file name length (in that
>     order).

I did read that, got confused, and decided to put off further attempts to understand the program--manpage connection.

> Your patch file example has the following file information:
>
> --- texi2html.pl        2012-07-09 10:54:41.000000000 +0200
> +++ /usr/local/bin/texi2html    2012-07-09 10:53:16.000000000 +0200
>
> Patch will modify "texi2html.pl" in the work directory. The
> other file name (/usr/local/bin/texi2html) is ignored.
>
> So, there is no problem with this patch, if patch works as
> advertised.

In that case, I see no security issues (assuming I didn't miss anything): all patch files (containing at least 1 absolute path, excluding /dev/null) would point the patch program to the work directory, provided that a manpage-conforming program is used.

>> Some patch files refer to target files in the /tmp directory.
>> Theoretically, this means that malicious regular users are able to
>> fiddle with the patching process: by creating the target files in the
>> /tmp directory, they are able to silently cause patches to apply to
>> bogus files in the /tmp directory instead of the intended files in the
>> port's work directory. In the extreme case, a malicious user could cause
>> ports to be built without certain security patches. The user could also
>> try a symlink attack.
>
> But it is highly unlikely, that the chunk will apply cleanly, and
> thus patch will abort without changing the bogus target file, in
> most cases.

In which case a reject file will be written to /tmp/<insert_target_file_here>.rej, which will be -- perhaps only at the right time, as a race condition -- a symlink to /etc/<insert_important_file_here>. Unfortunately, my brief attempt at making this work failed.