CLD-355 Details

Other IDs this deficiency may be known by:

CVE ID	CVE-2018-1000156 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s)	patch
Deficiency Type	SECURITY
Date Created	2018-04-06 08:53:39
Date Last Modified	2018-04-06 10:30:29

Version Specific Information:

Cucumber 1.0 i686	fixed in patch-2.7.5-i686-3
Cucumber 1.0 x86_64	fixed in patch-2.7.5-x86_64-3

Cucumber 1.1 i686	fixed in patch-2.7.5-i686-3
Cucumber 1.1 x86_64	fixed in patch-2.7.5-x86_64-3

Details:

=================================== Overview ===================================

GNU Patch version 2.7.6 contains an input validation vulnerability when
processing patch files, specifically the EDITOR_PROGRAM invocation (using ed)
can result in code execution. This attack appear to be exploitable via a patch
file processed via the patch utility. This is similar to FreeBSD's
CVE-2015-1418 however although they share a common ancestry the code bases have
diverged over time. 

================================ Initial Report ================================

From http://www.openwall.com/lists/oss-security/2018/04/06/1:

Date: Fri, 6 Apr 2018 08:52:43 +0200
From: Hanno B?ck 
To: oss-security@...ts.openwall.com
Subject: Privsec vuln in beep / Code execution in GNU patch

Hi,

There was a joke webpage about a vulnerability in beep a few days ago:
http://holeybeep.ninja/
There's also a corresponding Debian Advisory:
https://lists.debian.org/debian-security-announce/2018/msg00089.html
Neither have any technical details. CVE is CVE-2018-0492.

If anyone knows the background of this please share it.

However it turned out that on that joke holey beep webpage there's a
patch with a hidden easter egg that's actually a vulnerability in GNU
patch.
GNU patch supports a legacy "ed" format for patches and that allows
executing external commands.

It's been reported to GNU patch now here:
https://savannah.gnu.org/bugs/index.php?53566
CVE is CVE-2018-1000156. (says an anonymous commenter...)

A minimal poc looks like this:
--- a	2018-13-37 13:37:37.000000000 +0100
+++ b	2018-13-37 13:38:38.000000000 +0100
1337a
1,112d
!id>~/pwn.lol

It looks like FreeBSD and OpenBSD have fixed something alike in 2015:
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc
https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig



-- 
Hanno B?ck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

============================ Additional Information ============================

For further reading see:
http://rachelbythebay.com/w/2018/04/05/bangpatch/

Oringinal "exploit" site:
https://holeybeep.ninja/

Original "exploit" patch:
https://holeybeep.ninja/beep.patch

================================= Our Analysis =================================

----- Affected Products -----
We have verified in our lab environment that GNU patch 2.7.5 that has not been
specifically patched for this vulnerability is vulnerable. This includes patch
as originally packaged in Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows for arbitrary code execution if the user goes to apply
a malicious patch. It does not require any special flags to be passed; it is the
default behavior.

----- Testing if you are Affected -----
You can test if your version of patch is affected by attempting to apply the
patch from https://savannah.gnu.org/bugs/download.php?file_id=43815. Applying
this patch will require the presence of two files: 'a' and 'b' in the CWD
(without the quotes). If a file is created in your home directory called
'pwn.lol' containing the output of the `id` command, your version of patch is
vulnerable.

----- Fix for this Vulnerability -----
There are a couple of patches that people are claiming fix this vulnerability.
They are:
ed-fix.patch:
	https://savannah.gnu.org/bugs/download.php?file_id=43817
0001-Refuse-to-apply-ed-scripts-by-default.patch:
	https://savannah.gnu.org/bugs/download.php?file_id=43816

Of these, only ed-fix.patch has been applied to the official patch Git tree (see
commit
http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d).
Consequentially, we have applied only the patch from that commit. We have
verified in our lab environment that this patch does fix the vulnerability.

================================= Our Solution =================================

We have applied a modified version of the patch from
http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
and rebuilt. Our modified patch can be found at:
http://mirror.cucumberlinux.com/cucumber/cucumber-1.1/source/base/patch/patches/00030_CVE-2018-1000156_123eaff0d5d1aebe128295959435b9ca5909c26d.patch