[OpenWrt-Devel] patch: apply upstream cve fixes

Message ID	87zhvglvmf.fsf@husum.klickitat.com
State	Accepted
Headers	show Return-Path: <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org> From: Russell Senior <russell@personaltelco.net> To: openwrt-devel@lists.openwrt.org Date: Sun, 14 Oct 2018 02:34:32 -0700 Message-ID: <87zhvglvmf.fsf@husum.klickitat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 summary: Content analysis details: (-0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record Subject: [OpenWrt-Devel] [PATCH] patch: apply upstream cve fixes Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org> Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org
Series	[OpenWrt-Devel] patch: apply upstream cve fixes \| expand [OpenWrt-Devel] patch: apply upstream cve fixes

Message ID

87zhvglvmf.fsf@husum.klickitat.com

State

Accepted

Headers

From: Russell Senior <russell@personaltelco.net>
To: openwrt-devel@lists.openwrt.org
Date: Sun, 14 Oct 2018 02:34:32 -0700
Message-ID: <87zhvglvmf.fsf@husum.klickitat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Subject: [OpenWrt-Devel] [PATCH] patch: apply upstream cve fixes
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

Series

[OpenWrt-Devel] patch: apply upstream cve fixes | expand

Commit Message

Russell Senior Oct. 14, 2018, 9:34 a.m. UTC

Apply two upstream patches to address two CVEs:

 * CVE-2018-1000156
 * CVE-2018-6952

Add PKG_CPE_ID to Makefile.

Build tested on apm821xx and ar71xx.

Signed-off-by: Russell Senior <russell@personaltelco.net>
---
 tools/patch/Makefile                          |   2 +
 .../patch/patches/010-CVE-2018-1000156.patch  | 209 ++++++++++++++++++
 tools/patch/patches/020-CVE-2018-6952.patch   |  30 +++
 3 files changed, 240 insertions(+)
 create mode 100644 tools/patch/patches/010-CVE-2018-1000156.patch
 create mode 100644 tools/patch/patches/020-CVE-2018-6952.patch

Comments

Kevin 'ldir' Darbyshire-Bryant Oct. 14, 2018, 12:36 p.m. UTC | #1

Merged into my staging tree.
Thank you!

Magnus Kroken Oct. 14, 2018, 1:55 p.m. UTC | #2

Hi Russell, Kevin

On 14.10.2018 11:34, Russell Senior wrote:
> 
> Apply two upstream patches to address two CVEs:
> 
>   * CVE-2018-1000156
>   * CVE-2018-6952
> 
> Add PKG_CPE_ID to Makefile.
> 
> Build tested on apm821xx and ar71xx.
> 
> Signed-off-by: Russell Senior <russell@personaltelco.net>
> ---
>   tools/patch/Makefile                          |   2 +
>   .../patch/patches/010-CVE-2018-1000156.patch  | 209 ++++++++++++++++++
>   tools/patch/patches/020-CVE-2018-6952.patch   |  30 +++
>   3 files changed, 240 insertions(+)
>   create mode 100644 tools/patch/patches/010-CVE-2018-1000156.patch
>   create mode 100644 tools/patch/patches/020-CVE-2018-6952.patch

This change causes tools/patch/compile to fail, with:

make[5]: Leaving directory 
'/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/src'
Making all in tests
make[5]: Entering directory 
'/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/tests'
  cd .. && /usr/bin/env bash 
/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing 
automake-1.15 --gnu tests/Makefile
/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing: 
line 81: automake-1.15: command not found
WARNING: 'automake-1.15' is missing on your system.
          You should only need it if you modified 'Makefile.am' or
          'configure.ac' or m4 files included by 'configure.ac'.
          The 'automake' program is part of the GNU Automake package:
          <http://www.gnu.org/software/automake>
          It also requires GNU Autoconf, GNU m4 and Perl in order to run:
          <http://www.gnu.org/software/autoconf>
          <http://www.gnu.org/software/m4/>
          <http://www.perl.org/>
Makefile:1361: recipe for target 'Makefile.in' failed

Making patch depend on automake allows patch to build successfully, but 
I'm not sure that's the correct fix. Looking casually at the changes in 
the tests/ directory that these CVE patches do, I don't immediately see 
why this pulls in automake.

I worked around this by:
diff --git a/tools/Makefile b/tools/Makefile
index 9a354f6c70..7a9abddad7 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -76,7 +76,7 @@ $(curdir)/zlib/compile := $(curdir)/cmake/compile
  $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile
  $(curdir)/lzma-old/compile := $(curdir)/zlib/compile
  $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile
-
+$(curdir)/patch/compile := $(curdir)/automake/compile
  ifneq ($(HOST_OS),Linux)
    tools-y += coreutils
  endif


Regards
/Magnus

Hauke Mehrtens Oct. 14, 2018, 8:44 p.m. UTC | #3

On 10/14/2018 03:55 PM, Magnus Kroken wrote:
> Hi Russell, Kevin
> 
> On 14.10.2018 11:34, Russell Senior wrote:
>>
>> Apply two upstream patches to address two CVEs:
>>
>>   * CVE-2018-1000156
>>   * CVE-2018-6952
>>
>> Add PKG_CPE_ID to Makefile.
>>
>> Build tested on apm821xx and ar71xx.
>>
>> Signed-off-by: Russell Senior <russell@personaltelco.net>
>> ---
>>   tools/patch/Makefile                          |   2 +
>>   .../patch/patches/010-CVE-2018-1000156.patch  | 209 ++++++++++++++++++
>>   tools/patch/patches/020-CVE-2018-6952.patch   |  30 +++
>>   3 files changed, 240 insertions(+)
>>   create mode 100644 tools/patch/patches/010-CVE-2018-1000156.patch
>>   create mode 100644 tools/patch/patches/020-CVE-2018-6952.patch
> 
> This change causes tools/patch/compile to fail, with:
> 
> make[5]: Leaving directory
> '/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/src'
> 
> Making all in tests
> make[5]: Entering directory
> '/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/tests'
> 
>  cd .. && /usr/bin/env bash
> /var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing
> automake-1.15 --gnu tests/Makefile
> /var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing:
> line 81: automake-1.15: command not found
> WARNING: 'automake-1.15' is missing on your system.
>          You should only need it if you modified 'Makefile.am' or
>          'configure.ac' or m4 files included by 'configure.ac'.
>          The 'automake' program is part of the GNU Automake package:
>          <http://www.gnu.org/software/automake>
>          It also requires GNU Autoconf, GNU m4 and Perl in order to run:
>          <http://www.gnu.org/software/autoconf>
>          <http://www.gnu.org/software/m4/>
>          <http://www.perl.org/>
> Makefile:1361: recipe for target 'Makefile.in' failed
> 
> Making patch depend on automake allows patch to build successfully, but
> I'm not sure that's the correct fix. Looking casually at the changes in
> the tests/ directory that these CVE patches do, I don't immediately see
> why this pulls in automake.
> 
> I worked around this by:
> diff --git a/tools/Makefile b/tools/Makefile
> index 9a354f6c70..7a9abddad7 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -76,7 +76,7 @@ $(curdir)/zlib/compile := $(curdir)/cmake/compile
>  $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile
>  $(curdir)/lzma-old/compile := $(curdir)/zlib/compile
>  $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile
> -
> +$(curdir)/patch/compile := $(curdir)/automake/compile
>  ifneq ($(HOST_OS),Linux)
>    tools-y += coreutils
>  endif
> 
> 
> Regards
> /Magnus

This is fixed now in master.

It looks like make detects that test/Makefile.am was modified after
test/Makefile.in and then wants to run automake again, but that fails
because automake is not installed.

tools/Makefile adds a dependency to tools/patch/compile for every
package which has a patches directory, when you add
$(curdir)/patch/compile := $(curdir)/automake/compile
It ends up in circular dependencies and we get some other build errors.

I removed the changes to the test/ directory form the patch and then it
works.

Hauke

diff --git a/tools/patch/Makefile b/tools/patch/Makefile
index 4c4c09bc08..26f1e3eee6 100644
--- a/tools/patch/Makefile
+++ b/tools/patch/Makefile
@@ -8,6 +8,8 @@  include $(TOPDIR)/rules.mk
 
 PKG_NAME:=patch
 PKG_VERSION:=2.7.6
+PKG_RELEASE:=2
+PKG_CPE_ID:=cpe:/a:gnu:patch
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNU/patch
diff --git a/tools/patch/patches/010-CVE-2018-1000156.patch b/tools/patch/patches/010-CVE-2018-1000156.patch
new file mode 100644
index 0000000000..c83e240fb6
--- /dev/null
+++ b/tools/patch/patches/010-CVE-2018-1000156.patch
@@ -0,0 +1,209 @@ 
+From ee2904728eb4364a36d62d66f723d0b68749e5df Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 12:14:49 +0200
+Subject: [PATCH] Fix arbitrary command execution in ed-style patches
+ (CVE-2018-1000156)
+
+* src/pch.c (do_ed_script): Write ed script to a temporary file instead
+of piping it to ed: this will cause ed to abort on invalid commands
+instead of rejecting them and carrying on.
+* tests/ed-style: New test case.
+* tests/Makefile.am (TESTS): Add test case.
+---
+ src/pch.c         | 89 +++++++++++++++++++++++++++++++++++------------
+ tests/Makefile.am |  1 +
+ tests/ed-style    | 41 ++++++++++++++++++++++
+ 3 files changed, 108 insertions(+), 23 deletions(-)
+ create mode 100644 tests/ed-style
+
+diff --git a/src/pch.c b/src/pch.c
+index ff9ed2c..8150493 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -33,6 +33,7 @@
+ # include <io.h>
+ #endif
+ #include <safe.h>
++#include <sys/wait.h>
+ 
+ #define INITHUNKMAX 125			/* initial dynamic allocation size */
+ 
+@@ -2388,22 +2389,28 @@ do_ed_script (char const *inname, char const *outname,
+     static char const editor_program[] = EDITOR_PROGRAM;
+ 
+     file_offset beginning_of_this_line;
+-    FILE *pipefp = 0;
+     size_t chars_read;
++    FILE *tmpfp = 0;
++    char const *tmpname;
++    int tmpfd;
++    pid_t pid;
++
++    if (! dry_run && ! skip_rest_of_patch)
++      {
++	/* Write ed script to a temporary file.  This causes ed to abort on
++	   invalid commands such as when line numbers or ranges exceed the
++	   number of available lines.  When ed reads from a pipe, it rejects
++	   invalid commands and treats the next line as a new command, which
++	   can lead to arbitrary command execution.  */
++
++	tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++	if (tmpfd == -1)
++	  pfatal ("Can't create temporary file %s", quotearg (tmpname));
++	tmpfp = fdopen (tmpfd, "w+b");
++	if (! tmpfp)
++	  pfatal ("Can't open stream for file %s", quotearg (tmpname));
++      }
+ 
+-    if (! dry_run && ! skip_rest_of_patch) {
+-	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+-	assert (! inerrno);
+-	*outname_needs_removal = true;
+-	copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+-	fflush (stdout);
+-	pipefp = popen(buf, binary_transput ? "wb" : "w");
+-	if (!pipefp)
+-	  pfatal ("Can't open pipe to %s", quotearg (buf));
+-    }
+     for (;;) {
+ 	char ed_command_letter;
+ 	beginning_of_this_line = file_tell (pfp);
+@@ -2414,14 +2421,14 @@ do_ed_script (char const *inname, char const *outname,
+ 	}
+ 	ed_command_letter = get_ed_command_letter (buf);
+ 	if (ed_command_letter) {
+-	    if (pipefp)
+-		if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++	    if (tmpfp)
++		if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ 		    write_fatal ();
+ 	    if (ed_command_letter != 'd' && ed_command_letter != 's') {
+ 	        p_pass_comments_through = true;
+ 		while ((chars_read = get_line ()) != 0) {
+-		    if (pipefp)
+-			if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++		    if (tmpfp)
++			if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ 			    write_fatal ();
+ 		    if (chars_read == 2  &&  strEQ (buf, ".\n"))
+ 			break;
+@@ -2434,13 +2441,49 @@ do_ed_script (char const *inname, char const *outname,
+ 	    break;
+ 	}
+     }
+-    if (!pipefp)
++    if (!tmpfp)
+       return;
+-    if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0
+-	|| fflush (pipefp) != 0)
++    if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
++	|| fflush (tmpfp) != 0)
+       write_fatal ();
+-    if (pclose (pipefp) != 0)
+-      fatal ("%s FAILED", editor_program);
++
++    if (lseek (tmpfd, 0, SEEK_SET) == -1)
++      pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
++
++    if (! dry_run && ! skip_rest_of_patch) {
++	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
++	*outname_needs_removal = true;
++	if (inerrno != ENOENT)
++	  {
++	    *outname_needs_removal = true;
++	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++	  }
++	sprintf (buf, "%s %s%s", editor_program,
++		 verbosity == VERBOSE ? "" : "- ",
++		 outname);
++	fflush (stdout);
++
++	pid = fork();
++	if (pid == -1)
++	  pfatal ("Can't fork");
++	else if (pid == 0)
++	  {
++	    dup2 (tmpfd, 0);
++	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    _exit (2);
++	  }
++	else
++	  {
++	    int wstatus;
++	    if (waitpid (pid, &wstatus, 0) == -1
++	        || ! WIFEXITED (wstatus)
++		|| WEXITSTATUS (wstatus) != 0)
++	      fatal ("%s FAILED", editor_program);
++	  }
++    }
++
++    fclose (tmpfp);
++    safe_unlink (tmpname);
+ 
+     if (ofp)
+       {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 6b6df63..16f8693 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -32,6 +32,7 @@ TESTS = \
+ 	crlf-handling \
+ 	dash-o-append \
+ 	deep-directories \
++	ed-style \
+ 	empty-files \
+ 	false-match \
+ 	fifo \
+diff --git a/tests/ed-style b/tests/ed-style
+new file mode 100644
+index 0000000..d8c0689
+--- /dev/null
++++ b/tests/ed-style
+@@ -0,0 +1,41 @@
++# Copyright (C) 2018 Free Software Foundation, Inc.
++#
++# Copying and distribution of this file, with or without modification,
++# in any medium, are permitted without royalty provided the copyright
++# notice and this notice are preserved.
++
++. $srcdir/test-lib.sh
++
++require cat
++use_local_patch
++use_tmpdir
++
++# ==============================================================
++
++cat > ed1.diff <<EOF
++0a
++foo
++.
++EOF
++
++check 'patch -e foo -i ed1.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
++
++cat > ed2.diff <<EOF
++1337a
++r !echo bar
++,p
++EOF
++
++check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF
++?
++Status: 2
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
+-- 
+2.19.1
+
diff --git a/tools/patch/patches/020-CVE-2018-6952.patch b/tools/patch/patches/020-CVE-2018-6952.patch
new file mode 100644
index 0000000000..e3e4020e50
--- /dev/null
+++ b/tools/patch/patches/020-CVE-2018-6952.patch
@@ -0,0 +1,30 @@ 
+From daa51e492049d9fe3ac049165ec19641bf19cd7f Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 17 Aug 2018 13:35:40 +0200
+Subject: [PATCH] Fix swapping fake lines in pch_swap
+
+* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
+blank line in the middle of a context-diff hunk: that empty line stays
+in the middle of the hunk and isn't swapped.
+
+Fixes: https://savannah.gnu.org/bugs/index.php?53133
+---
+ src/pch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index 8150493..6994ab2 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2114,7 +2114,7 @@ pch_swap (void)
+     }
+     if (p_efake >= 0) {			/* fix non-freeable ptr range */
+ 	if (p_efake <= i)
+-	    n = p_end - i + 1;
++	    n = p_end - p_ptrn_lines;
+ 	else
+ 	    n = -i;
+ 	p_efake += n;
+-- 
+2.19.1
+

[OpenWrt-Devel] patch: apply upstream cve fixes

Commit Message

Comments

Patch