[Midnightbsd-cvs] src [7208] trunk/usr.bin/patch: Fix a shell injection vulnerability in patch.

[laffer1 at midnightbsd.org]

Revision: 7208
          http://svnweb.midnightbsd.org/src/?rev=7208
Author:   laffer1
Date:     2015-08-05 20:00:59 -0400 (Wed, 05 Aug 2015)
Log Message:
-----------
Fix a shell injection vulnerability in patch.

Modified Paths:
--------------
    trunk/usr.bin/patch/pathnames.h
    trunk/usr.bin/patch/pch.c

Modified: trunk/usr.bin/patch/pathnames.h
===================================================================
--- trunk/usr.bin/patch/pathnames.h	2015-08-02 19:53:24 UTC (rev 7207)
+++ trunk/usr.bin/patch/pathnames.h	2015-08-06 00:00:59 UTC (rev 7208)
@@ -1,13 +1,12 @@
-/* $MidnightBSD$ */
 /*-
  * Placed in the public domain by Todd C. Miller <Todd.Miller at courtesan.com>
  * on July 29, 2003.
  *
  * $OpenBSD: pathnames.h,v 1.1 2003/07/29 20:10:17 millert Exp $
- * $FreeBSD: stable/10/usr.bin/patch/pathnames.h 246091 2013-01-29 20:05:16Z delphij $
+ * $FreeBSD: stable/10/usr.bin/patch/pathnames.h 286348 2015-08-05 22:05:02Z delphij $
  */
 
 
 #include <paths.h>
 
-#define	_PATH_ED		"/bin/ed"
+#define	_PATH_RED		"/bin/red"

Modified: trunk/usr.bin/patch/pch.c
===================================================================
--- trunk/usr.bin/patch/pch.c	2015-08-02 19:53:24 UTC (rev 7207)
+++ trunk/usr.bin/patch/pch.c	2015-08-06 00:00:59 UTC (rev 7208)
@@ -26,7 +26,7 @@
  * behaviour
  *
  * $OpenBSD: pch.c,v 1.43 2014/11/18 17:03:35 tobias Exp $
- * $FreeBSD: stable/10/usr.bin/patch/pch.c 276807 2015-01-08 03:44:54Z pfg $
+ * $FreeBSD: stable/10/usr.bin/patch/pch.c 286348 2015-08-05 22:05:02Z delphij $
  */
 
 #include <sys/types.h>
@@ -1410,6 +1410,7 @@
 	char	*t;
 	off_t	beginning_of_this_line;
 	FILE	*pipefp = NULL;
+	int	continuation;
 
 	if (!skip_rest_of_patch) {
 		if (copy_file(filearg[0], TMPOUTNAME) < 0) {
@@ -1416,7 +1417,7 @@
 			unlink(TMPOUTNAME);
 			fatal("can't create temp file %s", TMPOUTNAME);
 		}
-		snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
+		snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
 		    verbose ? " " : " -s ", TMPOUTNAME);
 		pipefp = popen(buf, "w");
 	}
@@ -1434,7 +1435,19 @@
 		    (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) {
 			if (pipefp != NULL)
 				fputs(buf, pipefp);
-			if (*t != 'd') {
+			if (*t == 's') {
+				for (;;) {
+					continuation = 0;
+					t = strchr(buf, '\0') - 1;
+					while (--t >= buf && *t == '\\')
+						continuation = !continuation;
+					if (!continuation ||
+					    pgets(true) == 0)
+						break;
+					if (pipefp != NULL)
+						fputs(buf, pipefp);
+				}
+			} else if (*t != 'd') {
 				while (pgets(true)) {
 					p_input_line++;
 					if (pipefp != NULL)