# devel/patch 2.7.6 vulnerable



## Roald (Jun 2, 2019)

Today i had to update libreoffice.
And # portmaster -L gave warning that i would need to install devel/patch 2.7.6 (in order to update libreoffice) which portmaster said was vulnerable, and stopped/failed with updating libreoffice.

So i had a look at: https://www.freshports.org/devel/patch/
And decided, to # pkg install devel/patch

devel/patched 2.7.6 installed, i then updated libreoffice. 
After libreoffice update finshed, i did # pkg remove devel/patch

Questions:  Could these actions actually hurt the system?
                 Does portmaster always warns about vulnerabilities?


----------



## tingo (Jun 2, 2019)

Well, patch is used to patch one ore more source files of (in this case) LibreOffice. The relevant vulnerability report for patch (in this case) contains three separate vulnerabilities; the first two will result in the patch program failing during execution (IMHO), which (most likely) would result in one or more patches failing during 'make' of the LibreOffice port. If that resulted in a failed build, you would know 
The third patch vulnerability is the most (IMHO) "dangerous" one: "when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility."
So, if someone manged to "sneak in" a malicious patch file for the LibreOffice port, there is a chance that you could end up with malicious code in your LibreOffice built from this port. It is hard to assign a "number" to this risk; how likely is it that the scenario will happen?


----------



## noodlefling (Oct 5, 2019)

Is there a long term plan for this?  Should we be installing something like nupatch (I just made that up)?  Is the source code still vulnerable, or is this just a case of the maintainer not updating to the latest version?

This is the last holdout on my otherwise clean `pkg audit`.


----------



## D-FENS (Oct 5, 2019)

tingo said:


> Well, patch is used to patch one ore more source files of (in this case) LibreOffice. The relevant vulnerability report for patch (in this case) contains three separate vulnerabilities; the first two will result in the patch program failing during execution (IMHO), which (most likely) would result in one or more patches failing during 'make' of the LibreOffice port. If that resulted in a failed build, you would know
> The third patch vulnerability is the most (IMHO) "dangerous" one: "when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility."
> So, if someone manged to "sneak in" a malicious patch file for the LibreOffice port, there is a chance that you could end up with malicious code in your LibreOffice built from this port. It is hard to assign a "number" to this risk; how likely is it that the scenario will happen?


Isn't this obvious? If you can sneak in a malicious patch file, you can insert arbitrary code in any program?


----------

