Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 690136 (CVE-2019-13636, CVE-2019-13638) - <sys-devel/patch-2.7.6-r4: multiple vulnerabilities
Summary: <sys-devel/patch-2.7.6-r4: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-13636, CVE-2019-13638
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-18 08:43 UTC by D'juan McDonald (domhnall)
Modified: 2019-08-23 10:27 UTC (History)
2 users (show)

See Also:
Package list:
sys-devel/patch-2.7.6-r4
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
patch-2.7.6-r4.ebuild (patch-2.7.6-r4.ebuild,1.36 KB, text/plain)
2019-08-16 08:07 UTC, Teika kazura 		no flags Details
patch-2.7.6-CVE-2019-13636.patch (patch-2.7.6-CVE-2019-13636.patch,3.66 KB, patch)
2019-08-16 08:08 UTC, Teika kazura 		no flags Details | Diff
patch-2.7.6-CVE-2019-13638.patch (patch-2.7.6-CVE-2019-13638.patch,1.16 KB, patch)
2019-08-16 08:09 UTC, Teika kazura 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-18 08:43:29 UTC 
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13636):

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.

upstream patch: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a


Gentoo Security Padawan
(domhnall)
Comment 1 Teika kazura 2019-07-29 00:02:22 UTC 
There's also cve-2019-13638 (shell command injection vuln). See e.g. https://security-tracker.debian.org/tracker/CVE-2019-13638 
The upstream fix is also ready:
 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0

Regards.
Comment 2 Teika kazura 2019-08-16 08:07:09 UTC 
Created attachment 587032 [details]
patch-2.7.6-r4.ebuild

I've created an ebuild that incorporates the above two patches for Gentoo users' sake.

Use at your own risk. At least it can src_prepare itself.
Comment 3 Teika kazura 2019-08-16 08:08:25 UTC 
Created attachment 587034 [details, diff]
patch-2.7.6-CVE-2019-13636.patch

CVE-2019-13636 part.
Comment 4 Teika kazura 2019-08-16 08:09:36 UTC 
Created attachment 587036 [details, diff]
patch-2.7.6-CVE-2019-13638.patch

CVE-2019-13638 part.

Best regards.
Comment 5 Teika kazura 2019-08-16 08:22:06 UTC 
The above ebuild is my personal work, *NOT* by a Gentoo developer. Sorry to have forgotten to mention it in the first place. But hope it helps for someone.
Comment 6 Larry the Git Cow gentoo-dev 2019-08-16 12:40:31 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4e5bfd9d4c04c2f942bbecce62e4394d827de16

commit b4e5bfd9d4c04c2f942bbecce62e4394d827de16
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-08-16 12:38:46 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-08-16 12:40:22 +0000

    sys-devel/patch: rev bump to add some patches
    
    Bug: https://bugs.gentoo.org/690136
    Package-Manager: Portage-2.3.71, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ...lid-memory-access-in-context-format-diffs.patch |  26 +++++
 .../files/patch-2.7.6-CVE-2018-1000156-fix1.patch  | 102 +++++++++++++++++++
 .../files/patch-2.7.6-CVE-2018-1000156-fix2.patch  |  37 +++++++
 .../patch/files/patch-2.7.6-CVE-2019-13636.patch   | 108 +++++++++++++++++++++
 .../patch/files/patch-2.7.6-CVE-2019-13638.patch   |  38 ++++++++
 ...hen-RLIMIT_NOFILE-is-set-to-RLIM_INFINITY.patch |  89 +++++++++++++++++
 sys-devel/patch/patch-2.7.6-r4.ebuild              |  46 +++++++++
 7 files changed, 446 insertions(+)
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-08-16 21:50:05 UTC 
amd64 stable
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2019-08-16 21:52:52 UTC 
arm64 stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-16 22:40:05 UTC 
x86 stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2019-08-18 02:25:30 UTC 
This issue was resolved and addressed in
 GLSA 201908-22 at https://security.gentoo.org/glsa/201908-22
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2019-08-18 02:26:01 UTC 
re-open for final arches
Comment 12 Rolf Eike Beer archtester 2019-08-18 08:39:59 UTC 
sparc stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2019-08-18 10:16:40 UTC 
ia64/ppc/ppc64 stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2019-08-19 07:03:08 UTC 
hppa stable
Comment 15 Agostino Sarubbo gentoo-dev 2019-08-23 10:00:34 UTC 
s390 stable
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-08-23 10:24:33 UTC 
sh stable
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-08-23 10:24:56 UTC 
m68k stable
Comment 18 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-08-23 10:25:17 UTC 
alpha stable
Comment 19 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-08-23 10:25:58 UTC 
arm stable