Report

CVE-2019-13636: Symlink-following vulnerability in GNU patch allows arbitrary file write

7d0f9a0b-5ca4-49bd-9ec3-e3b554664bf6

GNU patch version 2.7.6 and earlier contains a symlink-following vulnerability that allows attackers to write files outside the intended patch directory. When patch applies patches to files, it opens target files without the O_NOFOLLOW flag. An attacker can create patches that reference symlinks pointing outside the working directory, causing patch to follow those symlinks and modify files beyond the patch scope. This affects critical operations in create_backup, create_file, copy_to_fd, append_to_file (in util.c) and plan_a, plan_b (in inp.c).", Examined patch source code at v2.7.6 tag. Found that safe_open() calls lack O_NOFOLLOW flag in multiple file operations: (1) src/util.c:391 in create_backup function opens backup file without O_NOFOLLOW; (2) src/util.c:563-564 in create_file function opens files without O_NOFOLLOW; (3) src/util.c:585 in copy_to_fd opens source files without O_NOFOLLOW; (4) src/util.c:645 in append_to_file opens files without O_NOFOLLOW; (5) src/inp.c:241,356 in plan_a and plan_b functions open input files without O_NOFOLLOW. Verified fix was implemented in commit dce4683 (July 15, 2019) which added O_NOFOLLOW flags conditionally based on --follow-symlinks option.", The fix adds the O_NOFOLLOW flag to file opening operations in patch, preventing symlink traversal during file operations. The solution involves: (1) Adding conditional O_NOFOLLOW flag based on follow_symlinks variable in inp.c plan_a/plan_b functions; (2) Adding O_NOFOLLOW to all file creation and opening operations in util.c create_backup, create_file, copy_to_fd, append_to_file functions unless --follow-symlinks is explicitly specified; (3) Using O_EXCL in create_backup to prevent race conditions and symlink attacks during backup file creation. This prevents patch from following symlinks in file paths, restricting all file operations to the intended working directory.", The vulnerability was confirmed by examining the vulnerable code paths in v2.7.6 and comparing with the fix in commit dce4683. The fix properly addresses the issue by refusing to follow symlinks in path components unless explicitly requested via command-line option.", Symlink Traversal / Arbitrary File Write", path-traversal", critical", missing_dependency", ["symlink-attack", "patch", "CVE-2019-13636", "arbitrary-write", "privilege-escalation"]", {"patch": "2.7.6"}", c