136 lines
5 KiB
Text
136 lines
5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-15:18.bsdpatch Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: shell injection vulnerability in patch(1)
|
|
|
|
Category: contrib
|
|
Module: patch
|
|
Announced: 2015-08-05
|
|
Credits: Martin Natano
|
|
Affects: FreeBSD 10.x.
|
|
Corrected: 2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
|
|
2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
|
|
2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
|
|
2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
|
|
2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
|
|
CVE Name: CVE-2015-1418
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The patch(1) utility takes a patch file produced by the diff(1) program and
|
|
apply the differences to an original file, producing a patched version.
|
|
|
|
The patch(1) utility supports patches that uses ed(1) script format, as
|
|
required by the POSIX.1-2008 standard.
|
|
|
|
ed(1) is a line-oriented text editor.
|
|
|
|
II. Problem Description
|
|
|
|
Due to insufficient sanitization of the input patch stream, it is possible
|
|
for a patch file to cause patch(1) to pass certain ed(1) scripts to the
|
|
ed(1) editor, which would run commands.
|
|
|
|
III. Impact
|
|
|
|
This issue could be exploited to execute arbitrary commands as the user
|
|
invoking patch(1) against a specically crafted patch file, which could be
|
|
leveraged to obtain elevated privileges.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems where a privileged user does not
|
|
make use of patches without proper validation are not affected.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
A reboot is not required after updating.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
A reboot is not required after updating.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch.asc
|
|
# gpg --verify bsdpatch.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r286348
|
|
releng/10.1/ r286351
|
|
releng/10.2/ r286350
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1418>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:18.bsdpatch.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.6 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rn8D4QAM0077U1nLiJFIU1VcM9IOKp
|
|
GeZ/w9SnkrKqKzAQpq3QS1hmw0TxvP8kuJNuRVFF6M15Woprfxccb8mDxM0ntru4
|
|
t8rq/QLO2jMWopf67Spv6jr6GLLQXkiyRwLEyr7L8a7MbrFwjO1wYt+8GnQ6Nsvn
|
|
kNfCnbNKPr1gNYM1XsLS7Ej1kl7aBx3xGQXU4d9HlOs/1X7rnPCnGKuc3ZD2Z/N4
|
|
zu8pV4NMFhWyJsax+FVYEFxwyd2uEb73A35nz/sQhGiwGOCtL424KG+hwj9mnm45
|
|
8f4m+53b6RDcBh6xU41fghMsac2PVCzY2r9GXXXJNlfEa+KnSN8yC+CvtXYEM9BX
|
|
9Y5g6i++RVLLT7mwFdG86FjZxSGpDBXlkpZ4I9qiS4YC8MFO4qC7SFzufxtfOcg+
|
|
R+QSj+DWOfeHDcXjEkHGlqTW9poE2EDWXDLwlEoOykh9NLyWl6enYd8ZEI3GUqyJ
|
|
FgKiICrs1vUuGhOhTCgjyQjQUc6jaV/GzhLBJfyxz5xYDpr7DIILxJ8uki2FJcHS
|
|
tZhlNu6JNqpBlsWNspqjw7NSP2j58Uj0bBdwWvFNX8otQiIXVfkdY8RCjxstq5lT
|
|
3bcF6akAFEBx/f/VYM1lswLM/XdbORYC3asLu84BP541EDqdx9d88TeTKNPvyb4Q
|
|
sGJ763WSlsoLrQDr8CUt
|
|
=iR0L
|
|
-----END PGP SIGNATURE-----
|