
Patch runs ed, and ed can run anything - akerl_
http://rachelbythebay.com/w/2018/04/05/bangpatch/
======
Spivak
I will admit that people consider it a little surprising and non-hackers will
be very loudly booed if they rely on this behavior but ed finds it way into
lots of utilities like this. It's a remnant of a bygone era where people
_wanted_ their tools to have this kind of power.

But the author is absolutely right, nowadays we should prefer red. Still a
small amount of shame if you're applying untrusted patches.

~~~
zokier
The early computing era (I'd say until early '90s) was definitely had
something special in the way so much relied on trust, both trusting the user
and trusting the wider community. Today everything is so locked down, paranoid
and anxiety inducing that computing has become increasingly stressful and
unfun.

I'm also reminded by a RMS writing (I think it was letter of some sort)
campaigning that denying computer lab users root access was oppressive. Bit
sad that I can't actually find it now.

And of course the classic (if misused like I'm doing here) Franklin quote
"Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety."

~~~
yongjik
It's easy to trust the user and the wider community when your typical user is
"another student in UCLA" and the worst they can steal from you is yesterday's
experiment log.

Put another way, it's easy to trust a user if you and they both know that they
can be tracked down and face disciplinary action if their behavior was deemed
unacceptable.

~~~
TeMPOraL
Moreover: it's easy to trust each other if all you're doing is scientific
research, games and pranks. But one day we woke up and found half of the world
relying on computing in everything, from business to healthcare to national
security. With regular people and regular day-to-day stuff comes regular
crime.

------
gbrown_
OpenBSD's patch handles ed style diffs internally now and also it is not
permitted to execute other programs thanks to pledge.

[https://marc.info/?l=openbsd-
cvs&m=144498099601083&w=2](https://marc.info/?l=openbsd-
cvs&m=144498099601083&w=2)

------
seanhunter
Patch knows that ed is a fine choice. Ed is generous enough to flag errors,
yet prudent enough not to overwhelm the novice with verbosity.

In case anyone has not been exposed to the reference, it's perhaps invoking
the famous `ed, man !man ed` page. [https://www.gnu.org/fun/jokes/ed-
msg.html](https://www.gnu.org/fun/jokes/ed-msg.html)

~~~
rachelbythebay
Crap! I knew I forgot something. I forgot to reference "eat flaming death". Oh
well, good catch!

~~~
orionblastar
We used that phrase in some Tradewar games during the BBS Era.

------
jimrandomh
This is bad and should be fixed, but there are fairly few circumstances where
it actually creates a new vulnerability. The majority of uses of patch are
applied to source code by someone who's going to end up running that code
anyways, so applying patches you haven't read closely from sources you don't
trust is already unsafe.

~~~
simlevesque
You could build the binary on your machine and run it inside a VM.

~~~
petters
The patch could also modify the Makefile (or similar) to run arbitrary
commands when the build is started.

------
secure
I don’t have ed installed (not a conscious decision), which prevents this from
working:

% patch<evil.patch sh: 1: ed: not found patch: ____ed FAILED

patch works just fine for me, though, so ed is not required.

~~~
cbr
What distribution?

(I don't think I've ever used a system that didn't have ed installed by
default.)

~~~
sothym
Arch Linux doesn't contain ed in their base package group.

------
tantalor
So patch can read email?

[https://en.wikipedia.org/wiki/Zawinski%27s_Law](https://en.wikipedia.org/wiki/Zawinski%27s_Law)

~~~
dfsegoat
Off topic, and forgive my naivety & ignorance, but I really do not understand
the highly specific nature of this Principle / Law, as it is on wiki:

"Every program attempts to expand until it can read mail. Those programs which
cannot so expand are replaced by ones which can."

... was Mail just the example at the time? and this is basically just the a
generic reference to feature/scope creep?... I just don't get the highly
specific inclusion of "Reading mail" as something that all programs expand
towards.

~~~
dguaraglia
It's a bit of both. I think the joke was mostly driven by Emacs which - due to
how incredibly flexible the Elisp interpret is - started gaining plugins to do
the most absurd things. There is, for example, a full "web browser" mode, a
full-blown email client, even an implementation of the Snake game.

~~~
na85
You can have my nyan cat modeline when you pry it from my cold, dead fingers.

~~~
TeMPOraL
You're welcome! :).

------
Blackthorn
Eep. Seems like patch should be running red, not ed!

Amazing how an ancient vuln can still be found hidden in plain sight.

~~~
oblio
Does anyone know if the GNU tools, the coreutils, have been through security
audits and fuzzing? They’re the most used tools on the planet, I’d say, and
relying on the 90’s “many eyes make all bugs shallow” doesn’t seem to cut it
anymore...

~~~
pixelbeat__
I'm the GNU coreutils maintainer and have fuzzed them extensively. For example
a recent bad bug in TZ handling was found using AFL and fixed by:
[http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=94...](http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=94e01571)

We put a lot of effort into the test suite which makes it easy for others to
test various experimental security checkers. This has been detailed in the
"third party testing" section at: [http://www.pixelbeat.org/docs/coreutils-
testing.html](http://www.pixelbeat.org/docs/coreutils-testing.html)

~~~
DyslexicAtheist
wow pretty awesome to see such a QA pipeline in Open Source projects. I'm used
to this in expensive R&D pipelines in the Telco space[0]. Is there a reason
you're not using oss-fuzz[1]?

I recently did a lot of work using AFL-fast[2] (poking mostly Perl & Lua and
crappy IoT products). My experience is that AFL-fast yielded far better
results (in a fraction of the time) when compared to AFL.

[0] [http://www.syssec-project.eu/m/page-
media/3/johansson_tfuzz_...](http://www.syssec-project.eu/m/page-
media/3/johansson_tfuzz_icst14.pdf)

[1] [https://github.com/google/oss-fuzz](https://github.com/google/oss-fuzz)

[2] [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)

~~~
pixelbeat__
aflfast is mentioned in my second link and was the most used fuzzing
implementation to find bugs in coreutils.

We've had a quick look at using oss-fuzz, which will need a bit of work since
it's more suited to libraries rather than standalone utils.

------
volkadav
similarly, i recall once being denied root on a host while trying to help out
with something and then asking if i could at least have sudo less to look at
things... which was granted. >:D (then i fixed the problem)

~~~
jacquesm
Always nice to know more about the system than those nominally in charge of
the system.

------
aplorbust
"patch will attempt to determine the type of the diff listing, unless over-
ruled by a -c, -e, -n, or -u option.Context diffs (old-style, new- style, and
unified) and normal diffs are applied directly by the patch program itself,
whereas _ed diffs_ are simply fed to the ed(1) editor via a pipe."

According to this, context diffs are not sent to ed.

Is the author suggesting that patch can be fooled to interpret a context diff
as an ed diff?

Theres a file called pch.c with an excessive amount of parsing and "intuit"
functions like intuit_diff_type().

patch has anthromorphised progress and error messages and tries to "guess".

However I am only a dumb end user. I should not question what I do not
understand. Its all safe I'm sure.

------
gtrubetskoy
Does this mean a "git pull" is vulnerable to this, or does git not rely on
patch?

~~~
Jasper_
git's delta pack format which used on the wire is not based on patch. This
would only affect "git patch" and derivatives like "git am".

~~~
eridius
Does `git apply` actually farm out to /usr/bin/patch? I kind of assumed it
reimplemented the patching itself.

~~~
LukeShu
You're correct, git has its own patch implementation (plus, it's a bit
stricter than the patch program, because it doesn't have to deal with various
patch formats--only "unified" patches).

------
jwilk
The beep bug on HN:
[https://news.ycombinator.com/item?id=16753013](https://news.ycombinator.com/item?id=16753013)

------
teeray
So how long will it be before we have a Monero miner implementation in ed?

------
eridius
Why does patch call ed? What did anyone ever actually use this for?

~~~
LukeShu
The `patch` program is expected to be able to apply any patchfile syntaxes
created by `diff`. Once upon a time, the default behavior of diff was to spit
out an `ed` script (nowadays, it's behind the `-e` flag). So, to apply that
syntax of patchfile, it invokes `ed`.

------
brynet
Text editors are shells, remember that if your program executes a text editor.

------
hannob
Here's the upstream bug report:
[https://savannah.gnu.org/bugs/index.php?53566](https://savannah.gnu.org/bugs/index.php?53566)

------
zitterbewegung
This hole needs a fancy name. Patchowned? Pwneded ?

~~~
paulie_a
No, just no. Naming vulns is a theme that needs to go away

~~~
sigjuice
Agreed. Every mundane bug or misfeature doesn't need its own website or
20-page analysis. Fix things and move on to the next thing that needs fixing.
There is an endless supply of broken things.

~~~
paulie_a
To be fair I can appreciate the technical analysis of a security issue. The
marketing is useless and just plain stupid

------
yiyus
This is, of course, a vulnerability. But let's not get too crazy. Once you are
applying a patch, either you trust the patch or not.

If you blindly apply patches, you will be in risk as soon as you run or try to
compile the patched command. This attack is just a bit faster because it
happens as soon as you apply the patch.

~~~
mrob
Patch isn't only used for source code. I wouldn't have expected any risk of
malicious code execution if I was patching documentation.

~~~
jwilk
Even for source, you may want to review the patch after applying it.

For example, dpkg-source applies patches when you unpack source package. I
don't think anybody expects code execution when unpacking stuff, even when
this stuff is untrusted.

------
cs702
My reaction whenever I read things like the OP:
[https://blog.codinghorror.com/assets/images/codinghorror-
app...](https://blog.codinghorror.com/assets/images/codinghorror-app-
icon.png?v=1162b121ab)

------
vilhelm_s
The whole (satirical) website
[https://holeybeep.ninja/](https://holeybeep.ninja/) is really great.

------
magwa101
Real programmers use ed.

~~~
sigjuice
Disagree :)

    
    
      $ cat >a.out
    

EDIT: maybe not

[https://xkcd.com/378/](https://xkcd.com/378/)

------
HIPisTheAnswer
Torvalds argument against microkernel: 'But, performance!'.

Result: QubesOS

...

------
gregoriol
Does this mean that it would be dangerous to try to patch patch?

------
codedokode
This is where unix philosophy fails. Patch should be editing files itself, not
via an external program.

~~~
cryptonector
This isn't the Unix philosophy at work. This is embedding a DSL. Microsot
Office has the same exact problems, does it not? No Unix philosophy there.

------
wodenokoto
So, who is this Rachel, and why has her blog suddenly exploded on HN? Both old
and new post have been filling the front page for about 2 weeks.

~~~
dang
The blog has been appearing on HN for many years. I assume she just started
publishing more lately.

~~~
rachelbythebay
Yep. Getting out of a 'real job' released a whole bunch of cycles and there
are a bunch of stories waiting to be told. I don't submit 'em ... I just write
'em.

------
DyslexicAtheist
> _This came up as part of the discussion on the "beep exploit" yesterday. I
> found it buried in the HN /new queue as a simple link to the Debian bug
> tracker._

I was expecting this post to go through the roof and was rather surprised it
gained zero traction, lol. Nobody using the GNU toolchain anymore on HN or it
just got drowned out idk ...
[https://news.ycombinator.com/item?id=16766577](https://news.ycombinator.com/item?id=16766577)

