Prevent patch(1) from scribbling all over the place. (marc.info)
from tedu to openbsd on 25 Jul 2023 16:21
https://azorius.net/p/Y21Nw463m2Y7KnmLZP

Arguably the only sensible use of patch(1) is changing files in the current working directory and subdirectories.

However, patch(1) has this anti-feature, or dare I say bug, where it will happily follow "../" upwards and outside of the current working directory to find files to change. All it takes is a line like
+++ ../../../../home/florian/.ssh/authorized_keys
in the patchfile.

patch(1) operates on untrusted input and it already pledge(2)'ed to not execute arbitrary programs, but of course it needs to write files.

A simple unveil(".", "rwc") restricts patch(1) to its current working directory.

https://github.com/openbsd/src/commit/4d951e9375c9e68d1aed559bb61502fa0cca5b7a

#openbsd

threaded - newest