From 4db99f4012570a577414fe2a43697b2f239b699e Mon Sep 17 00:00:00 2001 From: Sevan Janiyan Date: Sun, 4 Nov 2018 14:21:02 +0000 Subject: [PATCH] Remove building with NOCRYPTO option Infrastructure change to come in a separate commit. https://mail-index.netbsd.org/tech-crypto/2017/05/06/msg000719.html Patch for CVE-2018-049. Prevent shell execution with r command. Check bounds before dereferencing in encryption routines. Document -S to disable ! commands. Sync with NetBSD-8 closes #268 Change-Id: I1c2849e0097b0cc9f89beef5ee24ccd9d73b4ee2 --- bin/ed/Makefile | 5 +---- bin/ed/cbc.c | 8 ++++---- bin/ed/ed.1 | 13 ++++++++++--- bin/ed/main.c | 28 ++++++++++++++++++---------- 4 files changed, 33 insertions(+), 21 deletions(-) diff --git a/bin/ed/Makefile b/bin/ed/Makefile index 4bd271f04..b7ecc8454 100644 --- a/bin/ed/Makefile +++ b/bin/ed/Makefile @@ -1,13 +1,10 @@ -# $NetBSD: Makefile,v 1.36 2009/07/26 01:58:20 dholland Exp $ +# $NetBSD: Makefile,v 1.37 2017/05/21 15:28:36 riastradh Exp $ .include PROG= ed CPPFLAGS+=-DBACKWARDS - -.if (${MKCRYPTO} != "no") CPPFLAGS+=-DDES -.endif SRCS= buf.c cbc.c glbl.c io.c main.c re.c sub.c undo.c diff --git a/bin/ed/cbc.c b/bin/ed/cbc.c index 5d35caeeb..ef4282915 100644 --- a/bin/ed/cbc.c +++ b/bin/ed/cbc.c @@ -1,4 +1,4 @@ -/* $NetBSD: cbc.c,v 1.23 2014/03/23 05:06:42 dholland Exp $ */ +/* $NetBSD: cbc.c,v 1.24 2016/02/01 17:34:00 christos Exp $ */ /* cbc.c: This file contains the encryption routines for the ed line editor */ /*- @@ -72,7 +72,7 @@ #if 0 static char *rcsid = "@(#)cbc.c,v 1.2 1994/02/01 00:34:36 alm Exp"; #else -__RCSID("$NetBSD: cbc.c,v 1.23 2014/03/23 05:06:42 dholland Exp $"); +__RCSID("$NetBSD: cbc.c,v 1.24 2016/02/01 17:34:00 christos Exp $"); #endif #endif /* not lint */ @@ -303,7 +303,7 @@ expand_des_key(char *obuf /* bit pattern */, char *inbuf /* the key itself */) /* * now translate it, bombing on any illegal hex digit */ - for (i = 0; inbuf[i] && i < 16; i++) + for (i = 0; i < 16 && inbuf[i]; i++) if ((nbuf[i] = hex_to_binary((int) inbuf[i], 16)) == -1) des_error("bad hex digit in key"); while (i < 16) @@ -323,7 +323,7 @@ expand_des_key(char *obuf /* bit pattern */, char *inbuf /* the key itself */) /* * now translate it, bombing on any illegal binary digit */ - for (i = 0; inbuf[i] && i < 16; i++) + for (i = 0; i < 16 && inbuf[i]; i++) if ((nbuf[i] = hex_to_binary((int) inbuf[i], 2)) == -1) des_error("bad binary digit in key"); while (i < 64) diff --git a/bin/ed/ed.1 b/bin/ed/ed.1 index c39e91baf..c459197b3 100644 --- a/bin/ed/ed.1 +++ b/bin/ed/ed.1 @@ -1,4 +1,4 @@ -.\" $NetBSD: ed.1,v 1.30 2010/05/14 02:09:58 joerg Exp $ +.\" $NetBSD: ed.1,v 1.30.40.1 2018/04/08 06:04:08 snj Exp $ .\" $OpenBSD: ed.1,v 1.42 2003/07/27 13:25:43 jmc Exp $ .\" .\" Copyright (c) 1993 Andrew Moore, Talke Studio. @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd January 23, 2002 +.Dd April 5, 2018 .Dt ED 1 .Os .Sh NAME @@ -34,7 +34,7 @@ .Sh SYNOPSIS .Nm .Op Fl -.Op Fl Esx +.Op Fl ESsx .Op Fl p Ar string .Op Ar file .Sh DESCRIPTION @@ -130,6 +130,12 @@ option (deprecated). .It Fl E Enables the use of extended regular expressions instead of the basic regular expressions that are normally used. +.It Fl S +Disables using of the +.Dq ! +command (execuring a subshell). +Intended to be used by batch jobs like +.Xr patch 1 . .It Fl p Ar string Specifies a command prompt. This may be toggled on and off with the @@ -955,6 +961,7 @@ but any changes to the buffer are lost. .Xr sed 1 , .Xr sh 1 , .Xr vi 1 , +.Xr patch 1 , .Xr regex 3 .Pp USD:09-10 diff --git a/bin/ed/main.c b/bin/ed/main.c index 126d10be7..aa6801e2b 100644 --- a/bin/ed/main.c +++ b/bin/ed/main.c @@ -1,4 +1,4 @@ -/* $NetBSD: main.c,v 1.27 2014/03/31 12:55:46 christos Exp $ */ +/* $NetBSD: main.c,v 1.28.8.2 2018/06/22 10:08:22 martin Exp $ */ /* main.c: This file contains the main control and user-interface routines for the ed line editor. */ @@ -39,7 +39,7 @@ __COPYRIGHT( #if 0 static char *rcsid = "@(#)main.c,v 1.1 1994/02/01 00:34:42 alm Exp"; #else -__RCSID("$NetBSD: main.c,v 1.27 2014/03/31 12:55:46 christos Exp $"); +__RCSID("$NetBSD: main.c,v 1.28.8.2 2018/06/22 10:08:22 martin Exp $"); #endif #endif /* not lint */ @@ -94,6 +94,7 @@ int mutex = 0; /* if set, signals set "sigflags" */ int red = 0; /* if set, restrict shell/directory access */ int ere = 0; /* if set, use extended regexes */ int scripted = 0; /* if set, suppress diagnostics */ +int secure = 0; /* is set, ! is not allowed */ int sigflags = 0; /* if set, signals received while mutex set */ int sigactive = 0; /* if set, signal handlers are enabled */ @@ -105,7 +106,7 @@ const char *prompt; /* command-line prompt */ const char *dps = "*"; /* default command-line prompt */ -static const char usage[] = "Usage: %s [-] [-sxE] [-p string] [name]\n"; +static const char usage[] = "Usage: %s [-] [-ESsx] [-p string] [name]\n"; /* ed: line editor */ int @@ -118,7 +119,7 @@ main(int ac, char *av[]) red = (n = strlen(argv[0])) > 2 && argv[0][n - 3] == 'r'; top: - while ((c = getopt(argc, argv, "p:sxE")) != -1) + while ((c = getopt(argc, argv, "p:sxES")) != -1) switch(c) { case 'p': /* set prompt */ prompt = optarg; @@ -137,6 +138,9 @@ top: case 'E': ere = REG_EXTENDED; break; + case 'S': /* ! is not allowed */ + secure = 1; + break; default: fprintf(stderr, usage, getprogname()); exit(1); @@ -223,11 +227,14 @@ top: } isglobal = 0; if ((status = extract_addr_range()) >= 0 && - (status = exec_command()) >= 0) - if (!status || (status && - (status = display_lines(current_addr, current_addr, - status)) >= 0)) + (status = exec_command()) >= 0) { + if (status == 0) + continue; + status = display_lines(current_addr, current_addr, + status); + if (status >= 0) continue; + } switch (status) { case EOF: quit(0); @@ -861,7 +868,8 @@ exec_command(void) if (addr_cnt > 0) { seterrmsg("unexpected address"); return ERR; - } else if ((sflags = get_shell_command()) < 0) + } + if ((sflags = get_shell_command()) < 0) return ERR; GET_COMMAND_SUFFIX(); if (sflags) printf("%s\n", shcmd + 1); @@ -983,7 +991,7 @@ get_shell_command(void) int i = 0; int j = 0; - if (red) { + if (red || secure) { seterrmsg("shell access restricted"); return ERR; } else if ((s = ibufp = get_extended_line(&j, 1)) == NULL) -- 2.11.4.GIT