CVE-2018-6952 (https://nvd.nist.gov/vuln/detail/CVE-2018-6952): A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.
Upstream fix: http://git.savannah.nongnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300 Hopefully, it will be in the next release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c55ece4eee17a954740b8ecc03b1cb8ed58c123 commit 5c55ece4eee17a954740b8ecc03b1cb8ed58c123 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-03-28 00:32:30 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-28 00:33:05 +0000 sys-devel/patch: add patches for CVE-2018-{6951,6952}, CVE-2018-1000156 Bug: https://bugs.gentoo.org/647792 Bug: https://bugs.gentoo.org/647794 Bug: https://bugs.gentoo.org/652710 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../patch/files/patch-2.7.6-CVE-2018-1000156.patch | 150 +++++++++++++++++++++ .../patch/files/patch-2.7.6-CVE-2018-6951.patch | 29 ++++ .../patch/files/patch-2.7.6-CVE-2018-6952.patch | 30 +++++ ...-files-to-be-missing-for-ed-style-patches.patch | 25 ++++ sys-devel/patch/patch-2.7.6-r3.ebuild | 40 ++++++ 5 files changed, 274 insertions(+)
This issue was resolved and addressed in GLSA 201904-17 at https://security.gentoo.org/glsa/201904-17 by GLSA coordinator Aaron Bauman (b-man).
