Fixed #1582675 - Patch can be crashed and coredumped with a trivial wrong command

2018-10-11 15:29:08 +02:00 · 2018-10-11 15:29:08 +02:00 · 6ae7ae0710
commit 6ae7ae0710
parent e60be2b017
2 changed files with 79 additions and 2 deletions
--- a/patch-2.7.6-git-style.patch
+++ b/patch-2.7.6-git-style.patch
@ -0,0 +1,70 @@
 diff -up patch-2.7.6/src/patch.c.git-style patch-2.7.6/src/patch.c
 --- patch-2.7.6/src/patch.c.git-style	2018-02-03 13:41:49.000000000 +0100
 +++ patch-2.7.6/src/patch.c	2018-10-11 15:01:08.709406802 +0200
@@ -1938,8 +1938,12 @@ output_files (struct stat const *st)
 {
   gl_list_iterator_t iter;
   const void *elt;
 +  gl_list_t files;
 -  iter = gl_list_iterator (files_to_output);
 +  files = files_to_output;
 +  init_files_to_output ();
 +
 +  iter = gl_list_iterator (files);
   while (gl_list_iterator_next (&iter, &elt, NULL))
     {
       const struct file_to_output *file_to_output = elt;
@@ -1957,8 +1961,8 @@ output_files (struct stat const *st)
 	  /* Free the list up to here. */
 	  for (;;)
 	    {
 -	      const void *elt2 = gl_list_get_at (files_to_output, 0);
 -	      gl_list_remove_at (files_to_output, 0);
 +	      const void *elt2 = gl_list_get_at (files, 0);
 +	      gl_list_remove_at (files, 0);
 	      if (elt == elt2)
 		break;
 	    }
@@ -1967,7 +1971,7 @@ output_files (struct stat const *st)
 	}
     }
   gl_list_iterator_free (&iter);
 -  gl_list_clear (files_to_output);
 +  gl_list_clear (files);
 }
 /* Fatal exit with cleanup. */
 diff -up patch-2.7.6/tests/git-error.git-style patch-2.7.6/tests/git-error
 --- patch-2.7.6/tests/git-error.git-style	2018-10-11 15:00:09.349200685 +0200
 +++ patch-2.7.6/tests/git-error	2018-10-11 15:00:09.349200685 +0200
@@ -0,0 +1,29 @@
 +# Copyright (C) 2018 Free Software Foundation, Inc.
 +#
 +# Copying and distribution of this file, with or without modification,
 +# in any medium, are permitted without royalty provided the copyright
 +# notice and this notice are preserved.
 +
 +. $srcdir/test-lib.sh
 +
 +require cat
 +use_local_patch
 +use_tmpdir
 +
 +cat > f.diff <<EOF
 +diff --git a/boo b/boo
 +--- /dev/fd/63 2018-02-27 16:32:54.861266246 +0100
 ++++ /dev/fd/62 2018-02-27 16:32:54.861266246 +0100
 +@@ -1 +1 @@
 +-abc
 ++def
 +
 +EOF
 +
 +check 'patch .nonexistent < f.diff || echo "Status: $?"' <<EOF
 +patching file .nonexistent
 +Hunk #1 FAILED at 1.
 +1 out of 1 hunk FAILED -- saving rejects to file .nonexistent.rej
 +$PATCH: **** Can't reopen file .nonexistent : No such file or directory
 +Status: 2
 +EOF
--- a/patch.spec
+++ b/patch.spec
@ -1,13 +1,14 @@
 Summary: Utility for modifying/upgrading files
 Name: patch
 Version: 2.7.6
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv3+
 URL: http://www.gnu.org/software/patch/patch.html
 Group: Development/Tools
 Source: ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
 Patch1: patch-CVE-2018-1000156.patch
 Patch2: patch-2.7.6-CVE-2018-6952.patch
 Patch3: patch-2.7.6-git-style.patch
 Patch100: patch-selinux.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -31,8 +32,11 @@ applications.
 # CVE-2018-1000156, Malicious patch files cause ed to execute arbitrary commands
 %patch1 -p1 -b .CVE-2018-1000156
-# CVE-2018-6952
+# CVE-2018-6952, Double free of memory
 %patch2 -p1 -b .CVE-2018-6952
 # Fix error handling with git-style patches
 # http://lists.gnu.org/archive/html/bug-patch/2018-10/msg00000.html
 %patch3 -p1 -b .git-style
 # SELinux support.
 %patch100 -p1 -b .selinux
@ -59,6 +63,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*
 %changelog
 * Thu Oct 11 2018 Than Ngo <than@redhat.com> - 2.7.6-7
 - Fixed #1582675 - Patch can be crashed and coredumped with a trivial wrong command
 * Wed Aug 15 2018 Than Ngo <than@redhat.com> - 2.7.6-6
 - Fixed #1554752 - Double free of memory, CVE-2018-6952