| Brad Bishop | c68388fc | 2019-08-26 01:33:31 -0400 | [diff] [blame] | 1 | From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001 |
| 2 | From: Jean Delvare <jdelvare@suse.de> |
| 3 | Date: Thu, 3 May 2018 14:31:55 +0200 |
| 4 | Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch |
| 5 | |
| 6 | Now that we write ed-style patches to a temporary file before we |
| 7 | apply them, we need to ensure that the temporary file is removed |
| 8 | before we leave, even on fatal error. |
| 9 | |
| 10 | * src/pch.c (do_ed_script): Use global TMPEDNAME instead of local |
| 11 | tmpname. Don't unlink the file directly, instead tag it for removal |
| 12 | at exit time. |
| 13 | * src/patch.c (cleanup): Unlink TMPEDNAME at exit. |
| 14 | |
| 15 | This closes bug #53820: |
| 16 | https://savannah.gnu.org/bugs/index.php?53820 |
| 17 | |
| 18 | Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)") |
| 19 | |
| Brad Bishop | 79641f2 | 2019-09-10 07:20:22 -0400 | [diff] [blame^] | 20 | CVE: CVE-2018-1000156 |
| Brad Bishop | c68388fc | 2019-08-26 01:33:31 -0400 | [diff] [blame] | 21 | Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee] |
| 22 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> |
| 23 | --- |
| 24 | src/common.h | 2 ++ |
| 25 | src/pch.c | 12 +++++------- |
| 26 | 2 files changed, 7 insertions(+), 7 deletions(-) |
| 27 | |
| 28 | diff --git a/src/common.h b/src/common.h |
| 29 | index ec50b40..22238b5 100644 |
| 30 | --- a/src/common.h |
| 31 | +++ b/src/common.h |
| 32 | @@ -94,10 +94,12 @@ XTERN char const *origsuff; |
| 33 | XTERN char const * TMPINNAME; |
| 34 | XTERN char const * TMPOUTNAME; |
| 35 | XTERN char const * TMPPATNAME; |
| 36 | +XTERN char const * TMPEDNAME; |
| 37 | |
| 38 | XTERN bool TMPINNAME_needs_removal; |
| 39 | XTERN bool TMPOUTNAME_needs_removal; |
| 40 | XTERN bool TMPPATNAME_needs_removal; |
| 41 | +XTERN bool TMPEDNAME_needs_removal; |
| 42 | |
| 43 | #ifdef DEBUGGING |
| 44 | XTERN int debug; |
| 45 | diff --git a/src/pch.c b/src/pch.c |
| 46 | index 16e001a..c1a62cf 100644 |
| 47 | --- a/src/pch.c |
| 48 | +++ b/src/pch.c |
| 49 | @@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname, |
| 50 | file_offset beginning_of_this_line; |
| 51 | size_t chars_read; |
| 52 | FILE *tmpfp = 0; |
| 53 | - char const *tmpname; |
| 54 | int tmpfd; |
| 55 | pid_t pid; |
| 56 | |
| 57 | @@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname, |
| 58 | invalid commands and treats the next line as a new command, which |
| 59 | can lead to arbitrary command execution. */ |
| 60 | |
| 61 | - tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0); |
| 62 | + tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0); |
| 63 | if (tmpfd == -1) |
| 64 | - pfatal ("Can't create temporary file %s", quotearg (tmpname)); |
| 65 | + pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME)); |
| 66 | + TMPEDNAME_needs_removal = true; |
| 67 | tmpfp = fdopen (tmpfd, "w+b"); |
| 68 | if (! tmpfp) |
| 69 | - pfatal ("Can't open stream for file %s", quotearg (tmpname)); |
| 70 | + pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME)); |
| 71 | } |
| 72 | |
| 73 | for (;;) { |
| 74 | @@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname, |
| 75 | write_fatal (); |
| 76 | |
| 77 | if (lseek (tmpfd, 0, SEEK_SET) == -1) |
| 78 | - pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname)); |
| 79 | - |
| 80 | + pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME)); |
| 81 | if (! dry_run && ! skip_rest_of_patch) { |
| 82 | int exclusive = *outname_needs_removal ? 0 : O_EXCL; |
| 83 | *outname_needs_removal = true; |
| 84 | @@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname, |
| 85 | } |
| 86 | |
| 87 | fclose (tmpfp); |
| 88 | - safe_unlink (tmpname); |
| 89 | |
| 90 | if (ofp) |
| 91 | { |
| 92 | -- |
| 93 | 2.17.0 |
| 94 | |