Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538658 - <sys-devel/patch-2.7.4: infinite loop with a crafted diff
Summary: <sys-devel/patch-2.7.4: infinite loop with a crafted diff
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-03 11:56 UTC by Agostino Sarubbo
Modified: 2016-12-05 01:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-02-03 11:56:49 UTC
From ${URL} :

It was reported [1] that when processing a crafted diff patch will loop infinitely, which can lead 
to resourse consumption and local denial of service.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776271


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2015-03-16 00:44:29 UTC
Patch introduced by both Debian and RedHat. 

Maintainers, please advise.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-01 20:31:09 UTC
This is was fixed by upstream in v2.7.4. Tested via https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=776271;filename=loop2.patch.gz;msg=5


@ Maintainer(s): Please cleanup sys-devel/patch and drop at least =sys-devel/patch-2.7.3.
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-12-01 22:00:19 UTC
commit e00febb6b1e65871c8a4147f96338ae2eb0312c5
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Dec 1 22:59:10 2016

    sys-devel/patch: Security cleanup (bug #538658).

    Package-Manager: portage-2.3.2
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-05 00:13:07 UTC
New GLSA created.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-12-05 01:18:25 UTC
This issue was resolved and addressed in
 GLSA 201612-12 at https://security.gentoo.org/glsa/201612-12
by GLSA coordinator Aaron Bauman (b-man).