Patch runs ed, and ed can run anything

The early computing era (I'd say until early '90s) was definitely had something special in the way so much relied on trust, both trusting the user and trusting the wider community. Today everything is so locked down, paranoid and anxiety inducing that computing has become increasingly stressful and unfun.

I'm also reminded by a RMS writing (I think it was letter of some sort) campaigning that denying computer lab users root access was oppressive. Bit sad that I can't actually find it now.

And of course the classic (if misused like I'm doing here) Franklin quote "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

I don't think it's so much that people wanted patch to be able to run arbitrary code, but rather that writing your tools to be very flexible allows you to get the functionality you need with very little code. The first version of ctags was written as a shell script that invoked ed to do the heavy lifting, for example. It was a small fraction of the rewrite of ctags in C in later Unixes.

So that's how you end up with m4 being Turing-complete, being able to put shell commands in anything, that sort of thing.

>It's a remnant of a bygone era where people wanted their tools to have this kind of power.

You should still want your tools to have this power.

It's amazing what you can do with tools built like this and how _easy_ it is. People use the same motivation for making microservices, "do one thing well", they just don't think about it for command line utilities and treat shell scripting like a second class citizen.

Crap! I knew I forgot something. I forgot to reference "eat flaming death". Oh well, good catch!

geez, towards the end that starts reading like my bottle of Dr Bronner's Soap

> The majority of uses of patch are applied to source code by someone who's going to end up running that code anyways, so applying patches you haven't read closely from sources you don't trust is already unsafe.

I think you are overlooking a case that I suspect is common: applying a patch without reading the patch source and then using your source code control system to review what the patch did.

That lets you review that patch using whatever tools you normally use for reviewing code changes, which are often much nicer than reading a raw ed script.

The main place where this would be an issue would be if you have a server that is not going to build or run code, but applies patches to source and outputs the result.

So a cr review website could be affected.

That advice has been being passed around for a good long time, probably almost as long as patch itself.

Sure, except you could (for example) steal Linus's private ssh keys with this.

You could build the binary on your machine and run it inside a VM.

Patch applies files created with diff. Diff has 4 different output formats. One of those formats is basically a batch script with ed instructions.

For patch to work correctly you have to allow executing ed commands (internally or by spawning ed) but for security reasons you better not let ed execute yet another program.

What distribution?

(I don't think I've ever used a system that didn't have ed installed by default.)

Off topic, and forgive my naivety & ignorance, but I really do not understand the highly specific nature of this Principle / Law, as it is on wiki:

"Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can."

... was Mail just the example at the time? and this is basically just the a generic reference to feature/scope creep?... I just don't get the highly specific inclusion of "Reading mail" as something that all programs expand towards.

Does anyone know if the GNU tools, the coreutils, have been through security audits and fuzzing? They’re the most used tools on the planet, I’d say, and relying on the 90’s “many eyes make all bugs shallow” doesn’t seem to cut it anymore...

FreeBSD's patch runs red, a change we picked up from DragonFly BSD. That said OpenBSD's change to internally handle ed-style diffs is the best approach and I expect FreeBSD will migrate to that.

Always nice to know more about the system than those nominally in charge of the system.

I believe git uses its own implementation for applying deltas sucked down by `git pull`

    https://github.com/git/git/blob/master/patch-delta.c

There's also `git apply` that applies user supplied patchfiles but if I'm reading this correctly it also uses an internal implementation:

    https://github.com/git/git/blob/master/apply.c

git's delta pack format which used on the wire is not based on patch. This would only affect "git patch" and derivatives like "git am".

The `patch` program is expected to be able to apply any patchfile syntaxes created by `diff`. Once upon a time, the default behavior of diff was to spit out an `ed` script (nowadays, it's behind the `-e` flag). So, to apply that syntax of patchfile, it invokes `ed`.

Edit: I'm replacing my somewhat vague reply with a more correct answer:

https://en.wikipedia.org/wiki/Diff_utility#Edit_script

Unix principle of small tools chained together.

I was hoping "bangpatch" (see URL). It's descriptive, and it's also a sly reference to the old-school days of UUCP.

PatchEd

No, just no. Naming vulns is a theme that needs to go away

The Patch Snatch Batch

Patch isn't only used for source code. I wouldn't have expected any risk of malicious code execution if I was patching documentation.

Suppose you're applying patches to something other than software?

What if you're trying to apply a patch to a .txt document?