| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The last case to call output_file() in the main loop is
output_file (outname, NULL, &tmpoutst, NULL, NULL,
file_type | 0, backup);
and this essentially means to create a backup file (where to=NULL)
only if backup=true, and does nothing else.
And, in the current code, the passed file stat (&tmpoutst) is a file
stat of the temporary file that has been processed, not the original
file (outname) to be backed up. When the backup is performed
immediately, this is no big problem. However, output_file() may
schedule the deferred handling, and the given file may be backed up at
a later point. The problem is that create_backup() tries to avoid the
backup of the same file twice, and it checks the given stat i-node
number in the hash list. Since it's a stat of a temporary file, the
same i-node number may be reused once a temp file is deleted and
another is created. This results in a false-positive detection of the
already existing file, eventually missing a backup file.
This patch attempts to address the issue:
- Modify the condition for better understanding, clearly indicating
that the code there is for creating a backup file
- Pass the stat of the original file instead of a temporary file
BugLink: https://bugzilla.opensuse.org/show_bug.cgi?id=1198106
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jean Delvare <jdelvare@suse.de>
|
| |
|
|
|
|
|
|
|
|
| |
* bootstrap: Update.
* bootstrap.conf (gnulib_modules): Replace getdate with parse-datetime, malloc
with malloc-gnu, and realloc with realloc-gnu.
* src/patch.c (main): Function find_backup_file_name has gained a new dir_fd
argument.
* src/util.c (create_backup): Likewise.
(fetchname): Function get_date has been renamed to parse_datetime.
|
| |
|
|
|
|
|
| |
The assertion triggers when the -o FILE option is used, more than one output
file is written into FILE, and one of those files (except the last one) ends in
the middle of a line.
* src/patch.c (main): Fix the case described above.
|
| |
|
|
|
| |
* src/pch.c (another_hunk): Avoid invalid memory access in context format
diffs.
|
| |
|
|
|
|
|
|
|
| |
* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
append_to_file): Unless the --follow-symlinks option is given, open files with
the O_NOFOLLOW flag to avoid following symlinks. So far, we were only doing
that consistently for input files.
* src/util.c (create_backup): When creating empty backup files, (re)create them
with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* src/safe.c (min_cached_fds): Define minimum number of cached dir file
descriptors.
(max_cached_fds): Change type to rlim_t to allow storing RLIM_INFINITY.
(init_dirfd_cache): Set max_cached_fds to RLIM_INFINITY when RLIMIT_NOFILE is
RLIM_INFINITY. Set the initial hash table size to min_cached_fds, independent
of RLIMIT_NOFILE: patches commonly only affect one or a few files, so a small
hash table will usually suffice; if needed, the hash table will grow.
(insert_cached_dirfd): Don't shrink the cache when max_cached_fds is
RLIM_INFINITY.
|
| |
|
|
|
|
|
|
|
| |
When a fatal error triggers during cleanup, another attempt will be made to
clean up, which will likely lead to the same fatal error. So instead, bail out
when that happens.
src/patch.c (cleanup): Bail out when called recursively.
(main): There is no need to call output_files() before cleanup() as cleanup()
already does that.
|
| |
|
|
|
|
|
| |
When building with the address sanitizer on, free some more resources before
exiting. (This is unnecessary when not looking for memory leaks.)
* src/patch.c (init_files_to_delete): Add dispose function for freeing
filenames.
|
| |
|
|
|
|
|
|
| |
* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
blank line in the middle of a context-diff hunk: that empty line stays
in the middle of the hunk and isn't swapped.
Fixes: https://savannah.gnu.org/bugs/index.php?53133
|
| |
|
|
|
|
| |
* src/pch.c (another_hunk): In the (debug & 2) output, fix how empty
lines that are not part of the patch context are printed. Also, add
newlines to lines that are missing them to keep the output readable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous fix worked fine with single-file ed-style patches, but
would still leak temporary files in the case of multi-file ed-style
patch. Fix that case as well, and extend the test case to check for
it.
* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
the next file in a patch.
This closes bug #53820:
https://savannah.gnu.org/bugs/index.php?53820
Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we write ed-style patches to a temporary file before we
apply them, we need to ensure that the temporary file is removed
before we leave, even on fatal error.
* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
tmpname. Don't unlink the file directly, instead tag it for removal
at exit time.
* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
This closes bug #53820:
https://savannah.gnu.org/bugs/index.php?53820
Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
|
| |
|
|
|
| |
* src/patch.c (copy_till): Consider incomplete fwrite() write as an error.
* src/pch.c (pch_write_line, do_ed_script): Likewise.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hi Andreas,
I configured with --enable-gcc-warnings and bleeding-edge gcc
(version 8.0.1 20180406) and hit some warning-escalated-to-errors.
This fixes them:
>From a71ddb200dbe7ac0f9258796b5a51979b2740e88 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@fb.com>
Date: Fri, 6 Apr 2018 16:47:00 -0700
Subject: [PATCH] maint: avoid warnings from GCC8
* src/common.h (FALLTHROUGH): Define.
* src/patch.c (abort_hunk_context): Use FALLTHROUGH macro in place of
a comment. This avoids a warning from -Wimplicit-fallthrough=.
* src/pch.c (do_ed_script): Add otherwise unnecessary initialization
to avoid warning from -Wmaybe-uninitialized.
(another_hunk): Use FALLTHROUGH macro here, too, twice.
|
| |
|
|
| |
* src/pch.c (do_ed_script): Minor cleanups.
|
| |
|
|
|
| |
* bootstrap.conf (gnulib_modules): Add execute.
* src/pch.c (do_ed_script): Switch from fork + execlp to execute.
|
| |
|
|
|
| |
* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
command to avoid quoting vulnerabilities.
|
| |
|
|
|
|
|
|
| |
* src/pch.c (do_ed_script): Write ed script to a temporary file instead
of piping it to ed: this will cause ed to abort on invalid commands
instead of rejecting them and carrying on.
* tests/ed-style: New test case.
* tests/Makefile.am (TESTS): Add test case.
|
| |
|
|
|
| |
* src/pch.c (do_ed_script): Allow input files to be missing so that new
files will be created as with non-ed-style patches.
|
| |
|
|
|
|
| |
http://savannah.gnu.org/bugs/?53132
* src/pch.c (intuit_diff_type): Ensure that two filenames are specified
for renames and copies (fix the existing check).
|
| |
|
|
|
| |
* src/util.c (set_file_attributes): Avoid sign conversion warnings when
assigning -1 to uid_t / gid_t.
|
| |
|
|
|
| |
* src/pch.c (another_hunk): Clarify the error messages for malformed
normal diff patches.
|
| |
|
|
|
|
|
|
|
|
| |
* src/patch.c (main): Create git diff files with indicated mode.
* tests/file-create-modes: New test case.
* tests/Makefile.am (TESTS): Add test case.
This fixes building current Linux 4.14.x from the signed tarball and
patch file, where the patch creates a script with the executable bit
set.
|
| |
|
|
|
|
| |
* src/patch.c (locate_hunk): Don't allow a hunk to overlap with the
previous one.
* tests/false-match: Add regression test.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* src/common.h, src/merge.c (context_matches_file), src/patch.c
(get_some_switches, patch_match), src/pch.c(another_hunk): Rename the
global variable 'canonicalize' to 'canonicalize_ws'.
Patch uses a global variable 'canonicalize' as part of its
implementation of the --ignore-whitespace flag.
In glibc there is a function canonicalize():
https://www.gnu.org/software/libc/manual/html_node/FP-Bit-Twiddling.html#index-canonicalize
Rename the global variable so that it will not conflict.
Original bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1422463
|
| |
|
|
|
| |
* src/util.c (parse_name): parse_c_string() can fail and return NULL.
Check for that so that we won't access the NULL pointer here.
|
| |
|
|
|
|
| |
This bug can trigger with malformed patches.
* src/pch.c (pch_write_line): Avoid out-of-bounds access to
p_line[line][p_len[line] - 1] when p_len[line] is 0.
|
| |
|
|
|
|
| |
* src/pch.c (set_hunkmax): Don't cast return value of xmalloc.
(grow_hunkmax): Likewise for two uses of realloc that the syntax-check
rule did not detect.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When configured with --enable-gcc-warnings and gcc-6.1, ...
* src/safe.c (count_path_components): Use _GL_ATTRIBUTE_PURE,
to avoid an error from -Werror=suggest-attribute=pure.
* src/util.h (filename_is_safe): Likewise.
* src/patch.c (main): Placate -Werror=format= by casting
pch_mode's mode_t return type to the "unsigned int" required
to match the %o format string.
* src/patch.c (delete_files): Correct indentation, to avoid
this error from -Werror=misleading-indentation:
patch.c: In function 'delete_files':
patch.c:1816:4: error: this 'if' clause does not guard...
if (verbosity == VERBOSE)
^~
patch.c:1820:6: note: ...this statement, but the latter is
misleadingly indented as if it is guarded by the 'if'
move_file (0, 0, 0, file_to_delete->name, mode,
^~~~~~~~~
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a git-syle patch is applied, all file modifications are done to
temporary files which are put in place when the patch ends. When a
patch fails, GNU patch was trying to "roll back" to the start. A bug in
that code that lead to accidental file deletion was recently discovered
by Richard Weinberger <richard@nod.at>. Even worse though, GNU patch
should not exhibit this "rollback" behavior in the first place; that's
not what people expect. Instead, the files modified so far should be put
in place.
* src/patch.c (cleanup): Put output files processed successfully
in place instead of trying to "roll back" to the start.
(forget_output_files): Remove obsolete (and broken) function.
* tests/git-cleanup: New broken git-style patch test case that exercises
the cleanup path.
* tests/Makefile.am (TESTS): Add new test case.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* src/safe.h (unsafe): New flag to allow turning off safe file
operations.
* src/safe.c (safe_xstat, safe_open, safe_rename, safe_mkdir,
safe_rmdir, safe_unlink, safe_symlink, safe_chmod, safe_lchown,
safe_lutimens, safe_readlink, safe_access): When safe file operations
are turned off, skip safe path traversal. Any symlink checks of the
last path component are still done though.
* src/patch.c (main): When the file to patch is specified on the command
line, turn off safe file operations.
* tests/inname: Fix typo in test.
|
| |
|
|
|
|
| |
* src/safe.c (struct symlink): Get rid of the zero-size array which is a gcc
extension.
(read_symlink): Adapt to this struct symlink change.
|
| |
|
|
|
|
|
|
| |
The function readlink does not nul terminate its result string. safe_readlink
is a wrapper for readlinkat, which has the same behaviour.
* src/util.c (copy_file): Therefore, explicitly set '\0' and reserve one byte
for it. (agruen: Reserve PATH_MAX + 1 bytes instead of only reading PATH_MAX -
1 characters.)
|
| |
|
|
|
| |
* src/bestmatch.h (bestmatch): Use xmalloc instead of malloc to handle
out-of-memory situations.
|
| |
|
|
|
|
|
|
|
|
| |
Reported by Tim Waugh <twaugh@redhat.com>.
* src/pch.c (intuit_diff_type): Don't require a traditional patch header
("--- old\n+++ new/n") after a "git --diff" header; the "git --diff" header
gives us enough information for being able to process subsequent hunks. This
deals with corrupted patches more gracefully.
* tests/corrupt-patch: New test case.
* tests/Makefile.am (TESTS): Add test case.
|
| |
|
|
|
|
|
|
|
|
| |
* src/safe.c (cwd_stat_errno, cwd_stat): stat() result of ".".
(read_symlink): When a symlink is absolute, check if it leads back into the
working directory. If it does, strip off the prefix above the working
directory. If the symlink points to the working directory, return an empty
path.
(traverse_another_path): Recognize empty paths from read_symlink().
* tests/symlinks: Absolute symlink test cases.
|
| | |
|
| |
|
|
|
| |
* src/safe.c: We don't need a long counter if we use overflow-safe arithmetic
here.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When resolving a symlink in a pathname, we traverse each path component in the
symlink and cache all of them. At the end, add an additional cache entry for
the symlink itself so that we don't have to resolve the symlink again (even
though this will usually be cached). Skip that if the symlink's parent isn't
in the cache anymore, though.
* src/safe.c (free_cached_dirfd): Remove from parent here instead of in
callers. Move close() to remove_cached_dirfd() instead.
(insert_cached_dirfd): Only insert if the entry's parent still exists; entries
without parent are invalid (see compare_cached_dirfds()); "top-level" entries
have cwd as their parent.
(new_cached_dirfd): New function split off from openat_cached().
(openat_cached): Use new_cached_dirfd() here.
(traverse_another_path): When starting to resolve a symlink, create an unhashed
dirfd cache entry for the symlink lookup result. When the symlink is completely
resolved, add that entry to the cache.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we don't do that, a directory could be removed from the cache, a new
directory with the same dirfd could be created, and the entries from the old
directory would appear in the new directory.
* src/safe.c (struct cached_dirfd): Keep track of the children of each dirfd
cache entry.
(remove_cached_dirfd): Remove all the entry's children from the lookup hash,
take them off the list of children, and initialize the children's
children_link. Then, remove the entry itself from its parent. This has no
effect if the entry doesn't have a parent because then, children_link is empty.
(openat_cached): Add new dirfd cache entries to their parent's list of children
and initialize the entry's list of children.
(traverse_another_path): Also initialize cwd's list of children.
|
| |
|
|
|
|
|
|
|
|
| |
* src/safe.c (struct cached_dirfd): Replace prev and next with a lru_link
list_head.
(lru_list): Turn into a list_head.
(lru_list_add, lru_list_del, lru_list_del_init): Replace by list_add(),
list_del(), list_del_init().
(insert_cached_dirfd): Get to the list entry from the embedded list_head with
the list_entry() macro.
|
| |
|
|
|
| |
* src/list.h: New data structure.
src/Makefile.am (patch_SOURCES): Add list.h.
|
| |
|
|
|
|
|
| |
src/safe.c (safe_rename, safe_rmdir): Only invalidate cache entries when the
underlying sycall succeeds and the entry actually goes away. This keeps the
cache filled upon speculative rmdir when the directory may not be empty, for
example.
|
| |
|
|
|
|
|
| |
* src/safe.c (traverse_another_path): Don't report errors here.
* src/patch.c (main): Instead, recognize and report them here. Detect when an
output file name is invalid; it doesn't make sense to try creating a
reject file based on the same outbut file name in that case.
|
| |
|
|
|
|
|
| |
src/safe.c (MAX_PATH_COMPONENTS): The maximum number of path components
allowed.
(count_path_components): New function.
(traverse_another_path): Fail if the number of path components gets too high.
|
| |
|
|
|
|
|
|
|
| |
* src/safe.c (struct symlink): A symlink to resolve.
(push_symlink, pop_symlink): New functions.
(read_symlink): Create a new symlink stack entry.
(traverse_next): Follow ".." components within the working directory. When
hitting symlinks, "follow" them by reading and returning them.
(traverse_another_path): Recursively traverse symlinks.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* src/safe.c (struct cached_dirfd): Add parent pointer. Now that we know our
parent, we no longer need to duplicate its directory file descriptor.
(lookup_cached_dirfd): Don't update the lru list here.
(insert_cached_dirfd): The lru list may now be empty even if the cache is not.
(put_path): New function to put a path back into the lru list.
(openat_cached): Take cached entried off the lru list. They are added back
in put_path().
(traverse_another_path): Put lookup result back into the lru list with
put_path().
|
| |
|
|
|
|
|
| |
Prepare for keeping track of the directory hierarchy:
* src/safe.c (traverse_another_path): Pass struct cached_dirfd to
traverse_next().
(traverse_next, openat_cached): Pass through struct cached_dirfd.
|
| |
|
|
|
|
|
| |
* src/util.c (make_tempfile): Remove error reporting here.
* src/inp.c (plan_b): Readd error reporting here.
* src/patch.c (main): Likewise.
* src/pch.c (open_patch_file): Likewise.
|
