Bug 1564326 (CVE-2018-1000156)

Summary:	CVE-2018-1000156 patch: Malicious patch files cause ed to execute arbitrary commands
Product:	[Other] Security Response	Reporter:	Sam Fowler <sfowler>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	carnil, chorn, djez, fkrska, fweimer, mzeleny, psampaio, salmy, than, twaugh, yozone
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-06-10 10:19:43 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1564327, 1564328, 1564332, 1564333, 1564334, 1564335, 1589881, 1589882, 1589883, 1589884, 1589885, 1589886, 1589887
Bug Blocks:	1564330

Description Sam Fowler 2018-04-06 00:36:53 UTC

GNU patch does not properly sanitize patch files allowing for malicious patches to pass arbitrary shell commands to ed. An attacker could exploit this by tricking a user into applying malicious patches with the patch command.

Comment 1 Sam Fowler 2018-04-06 00:37:33 UTC

Created patch tracking bugs for this issue:

Affects: fedora-all [bug 1564327]

Comment 3 Doran Moppert 2018-04-06 00:56:11 UTC

There is some discussion at: http://rachelbythebay.com/w/2018/04/05/bangpatch/

The OpenBSD patch tries to fix up interpretation of s// commands on their way to ed.  The FreeBSD patch does this and also switches to /usr/bin/red (restricted-mode ed), which is supposed to be safer.

On first glance, GNU patch's interpretation of the stream passed to ed is much more naive.  The "correct" thing would be to invoke /usr/bin/red (on the assumption that patches shouldn't be able to execute arbitrary commands).

It also looks like GNU patch ignores -c -e -n -u options to specify the patch type, instead calling intuit_diff_type for each file header.

Comment 5 Doran Moppert 2018-04-06 01:05:52 UTC

Upstream ticket:

https://savannah.gnu.org/bugs/?53566

Comment 7 Doran Moppert 2018-04-06 01:17:49 UTC

Two proposed patches are already attached upstream.  Of those, Saleem Rashid's "Refuse to apply ed scripts by default" seems pretty solid, as it asks the user before each potential invocation of ed.  This protects against bugs in restricted-ed as well, which seems wise.

It also includes tests, and allows override with "-f" in case auto build systems want to enable ed for some reason.  The risk remains that existing build systems already use -f, so they will be unprotected.

Comment 8 Doran Moppert 2018-04-09 03:25:39 UTC

Upstream patch:

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d

Includes test suite which covers the cases identified here, and more.

This forces ed to quit on invalid commands, preventing this injection.  Patch applies quite strict validation to ed scripts, so hopefully this is the only missing piece.

Invoking "ed -r" is still probably a good defense-in-depth mechanism, as further injections may be present or introduced by future changes in ed or patch.

Comment 9 errata-xmlrpc 2018-04-23 17:32:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1199 https://access.redhat.com/errata/RHSA-2018:1199

Comment 10 errata-xmlrpc 2018-04-23 17:35:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1200 https://access.redhat.com/errata/RHSA-2018:1200

Comment 19 errata-xmlrpc 2018-06-27 19:00:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:2096 https://access.redhat.com/errata/RHSA-2018:2096

Comment 20 errata-xmlrpc 2018-06-27 19:00:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2018:2093 https://access.redhat.com/errata/RHSA-2018:2093

Comment 21 errata-xmlrpc 2018-06-27 19:00:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2095 https://access.redhat.com/errata/RHSA-2018:2095

Comment 22 errata-xmlrpc 2018-06-27 19:01:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2094 https://access.redhat.com/errata/RHSA-2018:2094

Comment 23 errata-xmlrpc 2018-06-27 19:01:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:2097 https://access.redhat.com/errata/RHSA-2018:2097

Comment 24 errata-xmlrpc 2018-06-27 19:10:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2018:2092 https://access.redhat.com/errata/RHSA-2018:2092

Comment 25 errata-xmlrpc 2018-06-27 19:15:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:2091 https://access.redhat.com/errata/RHSA-2018:2091