Bug 1564326 (CVE-2018-1000156) - CVE-2018-1000156 patch: Malicious patch files cause ed to execute arbitrary commands
Summary: CVE-2018-1000156 patch: Malicious patch files cause ed to execute arbitrary c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1000156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180405,repo...
Depends On: 1564327 1564328 1564332 1564333 1564334 1564335 1589881 1589882 1589883 1589884 1589885 1589886 1589887
Blocks: 1564330
TreeView+ depends on / blocked
 
Reported: 2018-04-06 00:36 UTC by Sam Fowler
Modified: 2019-06-10 10:19 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:19:43 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1199 None None None 2018-04-23 17:33:01 UTC
Red Hat Product Errata RHSA-2018:1200 None None None 2018-04-23 17:35:30 UTC
Red Hat Product Errata RHSA-2018:2091 None None None 2018-06-27 19:15:32 UTC
Red Hat Product Errata RHSA-2018:2092 None None None 2018-06-27 19:10:49 UTC
Red Hat Product Errata RHSA-2018:2093 None None None 2018-06-27 19:00:45 UTC
Red Hat Product Errata RHSA-2018:2094 None None None 2018-06-27 19:01:15 UTC
Red Hat Product Errata RHSA-2018:2095 None None None 2018-06-27 19:00:57 UTC
Red Hat Product Errata RHSA-2018:2096 None None None 2018-06-27 19:00:21 UTC
Red Hat Product Errata RHSA-2018:2097 None None None 2018-06-27 19:01:51 UTC

Description Sam Fowler 2018-04-06 00:36:53 UTC
GNU patch does not properly sanitize patch files allowing for malicious patches to pass arbitrary shell commands to ed. An attacker could exploit this by tricking a user into applying malicious patches with the patch command.

Comment 1 Sam Fowler 2018-04-06 00:37:33 UTC
Created patch tracking bugs for this issue:

Affects: fedora-all [bug 1564327]

Comment 3 Doran Moppert 2018-04-06 00:56:11 UTC
There is some discussion at: http://rachelbythebay.com/w/2018/04/05/bangpatch/

The OpenBSD patch tries to fix up interpretation of s// commands on their way to ed.  The FreeBSD patch does this and also switches to /usr/bin/red (restricted-mode ed), which is supposed to be safer.

On first glance, GNU patch's interpretation of the stream passed to ed is much more naive.  The "correct" thing would be to invoke /usr/bin/red (on the assumption that patches shouldn't be able to execute arbitrary commands).

It also looks like GNU patch ignores -c -e -n -u options to specify the patch type, instead calling intuit_diff_type for each file header.

Comment 5 Doran Moppert 2018-04-06 01:05:52 UTC
Upstream ticket:

https://savannah.gnu.org/bugs/?53566

Comment 7 Doran Moppert 2018-04-06 01:17:49 UTC
Two proposed patches are already attached upstream.  Of those, Saleem Rashid's "Refuse to apply ed scripts by default" seems pretty solid, as it asks the user before each potential invocation of ed.  This protects against bugs in restricted-ed as well, which seems wise.

It also includes tests, and allows override with "-f" in case auto build systems want to enable ed for some reason.  The risk remains that existing build systems already use -f, so they will be unprotected.

Comment 8 Doran Moppert 2018-04-09 03:25:39 UTC
Upstream patch:

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d

Includes test suite which covers the cases identified here, and more.

This forces ed to quit on invalid commands, preventing this injection.  Patch applies quite strict validation to ed scripts, so hopefully this is the only missing piece.

Invoking "ed -r" is still probably a good defense-in-depth mechanism, as further injections may be present or introduced by future changes in ed or patch.

Comment 9 errata-xmlrpc 2018-04-23 17:32:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1199 https://access.redhat.com/errata/RHSA-2018:1199

Comment 10 errata-xmlrpc 2018-04-23 17:35:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1200 https://access.redhat.com/errata/RHSA-2018:1200

Comment 19 errata-xmlrpc 2018-06-27 19:00:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2018:2096 https://access.redhat.com/errata/RHSA-2018:2096

Comment 20 errata-xmlrpc 2018-06-27 19:00:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.2 Telco Extended Update Support

Via RHSA-2018:2093 https://access.redhat.com/errata/RHSA-2018:2093

Comment 21 errata-xmlrpc 2018-06-27 19:00:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2095 https://access.redhat.com/errata/RHSA-2018:2095

Comment 22 errata-xmlrpc 2018-06-27 19:01:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2094 https://access.redhat.com/errata/RHSA-2018:2094

Comment 23 errata-xmlrpc 2018-06-27 19:01:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2018:2097 https://access.redhat.com/errata/RHSA-2018:2097

Comment 24 errata-xmlrpc 2018-06-27 19:10:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2018:2092 https://access.redhat.com/errata/RHSA-2018:2092

Comment 25 errata-xmlrpc 2018-06-27 19:15:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:2091 https://access.redhat.com/errata/RHSA-2018:2091


Note You need to log in before you can comment on or make changes to this bug.