untrusted comment: verify with openbsd-74-base.pub

untrusted comment: verify with openbsd-74-base.pub
RWRoyQmAD08ajXjcin1pp4Tjr/m3D3WptDeh01xRf2szPGUj6bJWqqBTJFiXJ2EZGC03ZELG34Ohc8fmj5aU9E1Biml9UM8yowQ=

OpenBSD 7.4 errata 003, November 21, 2023:

patch(1) with explicit patchfile did not work in 7.4 due to overeager
unveil(2) restrictions.

Apply by doing:
signify -Vep /etc/signify/openbsd-74-base.pub -x 003_patch.patch.sig \
-m - | (cd /usr/src && patch -p0)

And then rebuild and install patch(1):
cd /usr/src/usr.bin/patch
make obj
make
make install

Index: usr.bin/patch/patch.c
===================================================================
RCS file: /cvs/src/usr.bin/patch/patch.c,v
diff -u -p -r1.74 patch.c
--- usr.bin/patch/patch.c 19 Jul 2023 13:26:20 -0000 1.74
+++ usr.bin/patch/patch.c 30 Oct 2023 14:55:52 -0000
@@ -32,6 +32,7 @@

#include <ctype.h>
#include <getopt.h>
+#include <libgen.h>
#include <limits.h>
#include <paths.h>
#include <stdio.h>
@@ -213,11 +214,27 @@ main(int argc, char *argv[])
perror("unveil");
my_exit(2);
}
- if (filearg[0] != NULL)
+ if (filearg[0] != NULL) {
+ char *origdir;
+
if (unveil(filearg[0], "rwc") == -1) {
perror("unveil");
my_exit(2);
}
+ if ((origdir = dirname(filearg[0])) == NULL) {
+ perror("dirname");
+ my_exit(2);
+ }
+ if (unveil(origdir, "rwc") == -1) {
+ perror("unveil");
+ my_exit(2);
+ }
+ } else {
+ if (unveil(".", "rwc") == -1) {
+ perror("unveil");
+ my_exit(2);
+ }
+ }
if (filearg[1] != NULL)
if (unveil(filearg[1], "r") == -1) {
perror("unveil");
@@ -228,10 +245,6 @@ main(int argc, char *argv[])
perror("unveil");
my_exit(2);
}
- if (unveil(".", "rwc") == -1) {
- perror("unveil");
- my_exit(2);
- }
if (*rejname != '\0')
if (unveil(rejname, "rwc") == -1) {
perror("unveil");