Guess I was wrong in assuming GNU patch does "fancy checks"... https://github.com/richfelker/cowpatch …pic.twitter.com/IlbJuM3YRp
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Guess I was wrong in assuming GNU patch does "fancy checks"... https://github.com/richfelker/cowpatch …pic.twitter.com/IlbJuM3YRp
I can reproduce it...
It's utterly idiotic that nonsense legacy patch formats like that are supported without a --please-really-exec-code-from-the-patch option.
I'll make a minimal reproducer and writeup a bug report later if noone else does it faster
someone else reported it already, I attached a poc https://savannah.gnu.org/bugs/index.php?53566 …
That was me. Thanks :) I'll attach the patch I was working on, but I doubt it'll be merged. (It makes GNU Patch refuse to handle ed scripts by default, warning that they are "potentially dangerous").
Patch attached, let's see what happens :)
As expected, my patch wasn't accepted. But an alternative patch has been merged and it has been assigned CVE-2018-1000156.
Even OpenBSD used to do this and got burnt https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig …. Their patch now handles ed diffs internally https://marc.info/?l=openbsd-cvs&m=144498099601083&w=2 …
FreeBSD brought in the OpenBSD change, and invokes /bin/red (restricted ed), but we should pick up OpenBSD's internal ed diff handling.
We considered making the patch exploit the beep bug and privesc to root and drop a file at /pwn.lol - but then we got lazy.
Git won't execute it. I spotted this on Tuesday, but Git applied the patch without calling the command so I assumed it was a joke. Damn.
Did you hear the beep?
don't worry, the fix is trivial: see the attached .patch
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.