CVE-2019-13636

2020-02-03 16:29:15 +08:00 · 2020-02-03 16:29:15 +08:00 · 475690985a
commit 475690985a
parent 68f7530d5c
2 changed files with 121 additions and 7 deletions
--- a/CVE-2019-13636.patch
+++ b/CVE-2019-13636.patch
@ -0,0 +1,107 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+---
+ src/inp.c  | 12 ++++++++++--
+ src/util.c | 14 +++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/inp.c b/src/inp.c
+index 32d0919..22d7473 100644
+--- a/src/inp.c
+++ b/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+     {
+       if (S_ISREG (instat.st_mode))
+         {
+-	  int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
+	  int flags = O_RDONLY | binary_transput;
+ 	  size_t buffered = 0, n;
+	  int ifd;
+
+	  if (! follow_symlinks)
+	    flags |= O_NOFOLLOW;
+	  ifd = safe_open (filename, flags, 0);
+ 	  if (ifd < 0)
+ 	    pfatal ("can't open file %s", quotearg (filename));
+ 
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
+  int flags = O_RDONLY | binary_transput;
+   int ifd;
+   FILE *ifp;
+   int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+ 
+   if (instat.st_size == 0)
+     filename = NULL_DEVICE;
+-  if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
+  if (! follow_symlinks)
+    flags |= O_NOFOLLOW;
+  if ((ifd = safe_open (filename, flags, 0)) < 0
+       || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+     pfatal ("Can't open file %s", quotearg (filename));
+   if (TMPINNAME_needs_removal)
+diff --git a/src/util.c b/src/util.c
+index 1cc08ba..fb38307 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)
+ 
+ 	  try_makedirs_errno = ENOENT;
+ 	  safe_unlink (bakname);
+-	  while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
+	  while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
+ 	    {
+ 	      if (errno != try_makedirs_errno)
+ 		pfatal ("Can't create file %s", quotearg (bakname));
+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
+  int from_flags = O_RDONLY | O_BINARY;
+   int fromfd;
+   ssize_t i;
+ 
+-  if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
+  if (! follow_symlinks)
+    from_flags |= O_NOFOLLOW;
+  if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (from));
+   while ((i = read (fromfd, buf, bufsize)) != 0)
+     {
+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,
+   else
+     {
+       assert (S_ISREG (mode));
+      if (! follow_symlinks)
+	to_flags |= O_NOFOLLOW;
+       tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ 			  to_dir_known_to_exist);
+       copy_to_fd (from, tofd);
+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ void
+ append_to_file (char const *from, char const *to)
+ {
+  int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+   int tofd;
+ 
+-  if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
+  if (! follow_symlinks)
+    to_flags |= O_NOFOLLOW;
+  if ((tofd = safe_open (to, to_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (to));
+   copy_to_fd (from, tofd);
+   if (close (tofd) != 0)
+-- 
+cgit v1.2.1
--- a/patch.spec
+++ b/patch.spec
@ -1,17 +1,18 @@
 Name:		patch
 Version:	2.7.6
-Release:	10
+Release:	11
 Summary:	Utiliity which applies a patch file to original files.
 License:	GPLv3+
 URL:	 	http://www.gnu.org/software/patch/patch.html
 Source0:	https://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
 Patch0: 	patch-CVE-2018-1000156.patch
-Patch6000: 	CVE-2018-6951.patch
-Patch6001: 	Fix-check-of-return-value-of-fwrite.patch
-Patch6002: 	Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
-Patch6003: 	Don-t-leak-temporary-file-on-failed-multi-file-ed-st.patch
-Patch6004: 	Fix-swapping-fake-lines-in-pch_swap.patch
-Patch6005:      CVE-2018-20969-and-CVE-2019-13638.patch
+Patch1: 	CVE-2018-6951.patch
+Patch2: 	Fix-check-of-return-value-of-fwrite.patch
+Patch3: 	Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
+Patch4: 	Don-t-leak-temporary-file-on-failed-multi-file-ed-st.patch
+Patch5: 	Fix-swapping-fake-lines-in-pch_swap.patch
+Patch6:         CVE-2018-20969-and-CVE-2019-13638.patch
+Patch7:         CVE-2019-13636.patch

 BuildRequires:	gcc libselinux-devel libattr-devel ed
 Buildroot:	%{_tmppath}/%{name}-%{version}-%{release}-root-root
@ -54,6 +55,12 @@ make check
 %{_mandir}/man1/*

 %changelog
+* Mon Feb 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.7.6-11
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:Fix CVE-2019-13636
+
 * Thu Jan 9 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.7.6-10
 - Type:NA
 - ID:NA