134 lines
5 KiB
Text
134 lines
5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-15:14.bsdpatch Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: shell injection vulnerability in patch(1)
|
|
|
|
Category: contrib
|
|
Module: patch
|
|
Announced: 2015-07-28
|
|
Credits: Martin Natano
|
|
Affects: FreeBSD 10.x.
|
|
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
|
|
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
|
|
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
|
|
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
|
|
CVE Name: CVE-2015-1416
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The patch(1) utility takes a patch file produced by the diff(1) program and
|
|
apply the differences to an original file, producing a patched version.
|
|
|
|
The patch(1) utility supports certain version control systems, namely SCCS
|
|
and RCS, and attempts to get or check out the file before applying a patch,
|
|
if the original file do not already exist.
|
|
|
|
II. Problem Description
|
|
|
|
Due to insufficient sanitization of the input patch stream, it is possible
|
|
for a patch file to cause patch(1) to run commands in addition to the desired
|
|
SCCS or RCS commands.
|
|
|
|
III. Impact
|
|
|
|
This issue could be exploited to execute arbitrary commands as the user
|
|
invoking patch(1) against a specically crafted patch file, which could be
|
|
leveraged to obtain elevated privileges.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems where a privileged user does not
|
|
make use of patches without proper validation are not affected.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
A reboot is not required after updating.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
A reboot is not required after updating.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-15:14/bsdpatch.patch.asc
|
|
# gpg --verify bsdpatch.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r285976
|
|
releng/10.1/ r285978
|
|
releng/10.2/ r285979
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1416>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:14.bsdpatch.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.6 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJVt+JfAAoJEO1n7NZdz2rnmAAP/37DmuKX127SHD4Au3a1xy2F
|
|
90RP1doqTzpq2w3wzn8JPPK/IUxG6yjDWUk097/aadSMSiUWi/RyTERe68ZNHDia
|
|
IkcTnvF1308OM91yAJDogTKyCpomZwWqkhDhT8qRIkRijr7gr0q3SYF2Uqrj+QKy
|
|
fvhJrEEjhv9Lgw8I1qmnxWCpcmkKaW2Fm1eqplYlPOIwJky+2+Ddzv5PcjtQTjye
|
|
tNIkF9D+ILmGFbotKbNPDKSxapreLOsyDnf0W9QMURi7UolF9AClZnerfVZUWy78
|
|
4lJdbC9q5bf/FNUDv2o928hMgG+cc+blaH8AGXGOgxOx3ok0XWp3xEWRJnggyrZX
|
|
P6NN39u6yFSIrYaNHEwYLFGCIeA0nGWVLupq5h6WwJ+mhCpHz90kMw/5unlXc/wS
|
|
mfFVMeoFiqL227qBgB4azQkiBjN/fVsqPcMv/xk0PNYHaRPS/DASRYPSJF2gXY7h
|
|
fjemohKs9wmyc78nyrnayffPQ6hkXvVzw9zMfLJ1XWg/Fa/5X4u/POggivzGI4ia
|
|
yrvp3zd4avNbEVwlirTxxYgQJ1X44JwTP3Tkq11fea9WJcJtjLTWpIwrHSd8PHEg
|
|
n3r4bo52iPyaGORGUw3Zhx93gOse+I3ayXmBEVJLGDONlEdUf/uju0kSIyCXn4ab
|
|
LvnW7evT5KHA0rh5B07E
|
|
=JTtx
|
|
-----END PGP SIGNATURE-----
|