Fixed #1582675 - Patch can be crashed and coredumped with a trivial wrong command

2018-10-11 15:29:08 +02:00 · 2018-10-11 15:29:08 +02:00 · 6ae7ae0710
commit 6ae7ae0710
parent e60be2b017
2 changed files with 79 additions and 2 deletions
--- a/patch-2.7.6-git-style.patch
+++ b/patch-2.7.6-git-style.patch
@ -0,0 +1,70 @@
+diff -up patch-2.7.6/src/patch.c.git-style patch-2.7.6/src/patch.c
+--- patch-2.7.6/src/patch.c.git-style	2018-02-03 13:41:49.000000000 +0100
+++ patch-2.7.6/src/patch.c	2018-10-11 15:01:08.709406802 +0200
+@@ -1938,8 +1938,12 @@ output_files (struct stat const *st)
+ {
+   gl_list_iterator_t iter;
+   const void *elt;
+  gl_list_t files;
+ 
+-  iter = gl_list_iterator (files_to_output);
+  files = files_to_output;
+  init_files_to_output ();
+
+  iter = gl_list_iterator (files);
+   while (gl_list_iterator_next (&iter, &elt, NULL))
+     {
+       const struct file_to_output *file_to_output = elt;
+@@ -1957,8 +1961,8 @@ output_files (struct stat const *st)
+ 	  /* Free the list up to here. */
+ 	  for (;;)
+ 	    {
+-	      const void *elt2 = gl_list_get_at (files_to_output, 0);
+-	      gl_list_remove_at (files_to_output, 0);
+	      const void *elt2 = gl_list_get_at (files, 0);
+	      gl_list_remove_at (files, 0);
+ 	      if (elt == elt2)
+ 		break;
+ 	    }
+@@ -1967,7 +1971,7 @@ output_files (struct stat const *st)
+ 	}
+     }
+   gl_list_iterator_free (&iter);
+-  gl_list_clear (files_to_output);
+  gl_list_clear (files);
+ }
+ 
+ /* Fatal exit with cleanup. */
+diff -up patch-2.7.6/tests/git-error.git-style patch-2.7.6/tests/git-error
+--- patch-2.7.6/tests/git-error.git-style	2018-10-11 15:00:09.349200685 +0200
+++ patch-2.7.6/tests/git-error	2018-10-11 15:00:09.349200685 +0200
+@@ -0,0 +1,29 @@
+# Copyright (C) 2018 Free Software Foundation, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# in any medium, are permitted without royalty provided the copyright
+# notice and this notice are preserved.
+
+. $srcdir/test-lib.sh
+
+require cat
+use_local_patch
+use_tmpdir
+
+cat > f.diff <<EOF
+diff --git a/boo b/boo
+--- /dev/fd/63 2018-02-27 16:32:54.861266246 +0100
++++ /dev/fd/62 2018-02-27 16:32:54.861266246 +0100
+@@ -1 +1 @@
+-abc
++def
+
+EOF
+
+check 'patch .nonexistent < f.diff || echo "Status: $?"' <<EOF
+patching file .nonexistent
+Hunk #1 FAILED at 1.
+1 out of 1 hunk FAILED -- saving rejects to file .nonexistent.rej
+$PATCH: **** Can't reopen file .nonexistent : No such file or directory
+Status: 2
+EOF
--- a/patch.spec
+++ b/patch.spec
@ -1,13 +1,14 @@
 Summary: Utility for modifying/upgrading files
 Name: patch
 Version: 2.7.6
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv3+
 URL: http://www.gnu.org/software/patch/patch.html
 Group: Development/Tools
 Source: ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
 Patch1: patch-CVE-2018-1000156.patch
 Patch2: patch-2.7.6-CVE-2018-6952.patch
+Patch3: patch-2.7.6-git-style.patch
 Patch100: patch-selinux.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

@ -31,8 +32,11 @@ applications.

 # CVE-2018-1000156, Malicious patch files cause ed to execute arbitrary commands
 %patch1 -p1 -b .CVE-2018-1000156
-# CVE-2018-6952
+# CVE-2018-6952, Double free of memory
 %patch2 -p1 -b .CVE-2018-6952
+# Fix error handling with git-style patches
+# http://lists.gnu.org/archive/html/bug-patch/2018-10/msg00000.html
+%patch3 -p1 -b .git-style

 # SELinux support.
 %patch100 -p1 -b .selinux
@ -59,6 +63,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*

 %changelog
+* Thu Oct 11 2018 Than Ngo <than@redhat.com> - 2.7.6-7
+- Fixed #1582675 - Patch can be crashed and coredumped with a trivial wrong command
+
 * Wed Aug 15 2018 Than Ngo <than@redhat.com> - 2.7.6-6
 - Fixed #1554752 - Double free of memory, CVE-2018-6952