Summary: | <sys-devel/patch-2.7.6-r3: arbitrary command execution (CVE-2018-1000156) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | SÅ‚awomir Nizio <slawomir.nizio> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexander, ap, base-system, prote |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://savannah.gnu.org/bugs/index.php?53566 | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
=sys-devel/patch-2.7.6-r3
|
Runtime testing required: | Yes |
Bug Depends on: | |||
Bug Blocks: | 647792, 647794 |
Description
SÅ‚awomir Nizio
2018-04-06 22:46:43 UTC
CVE-2018-1000156 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000156): GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time. Upstream fix: http://git.savannah.nongnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c55ece4eee17a954740b8ecc03b1cb8ed58c123 commit 5c55ece4eee17a954740b8ecc03b1cb8ed58c123 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-03-28 00:32:30 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-28 00:33:05 +0000 sys-devel/patch: add patches for CVE-2018-{6951,6952}, CVE-2018-1000156 Bug: https://bugs.gentoo.org/647792 Bug: https://bugs.gentoo.org/647794 Bug: https://bugs.gentoo.org/652710 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../patch/files/patch-2.7.6-CVE-2018-1000156.patch | 150 +++++++++++++++++++++ .../patch/files/patch-2.7.6-CVE-2018-6951.patch | 29 ++++ .../patch/files/patch-2.7.6-CVE-2018-6952.patch | 30 +++++ ...-files-to-be-missing-for-ed-style-patches.patch | 25 ++++ sys-devel/patch/patch-2.7.6-r3.ebuild | 40 ++++++ 5 files changed, 274 insertions(+) @arches, please stabilize. amd64 stable hppa stable arm stable ia64 stable ppc64 stable s390 stable x86 stable ppc stable alpha stable arm64 stable arm stable sparc stable m68k stable sh stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=473392c657823d46c09f4c3e7d58bdde2f60ba54 commit 473392c657823d46c09f4c3e7d58bdde2f60ba54 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2019-04-11 09:48:52 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2019-04-11 09:49:08 +0000 sys-devel/patch: Security cleanup Bug: https://bugs.gentoo.org/652710 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 sys-devel/patch/patch-2.7.6-r2.ebuild | 36 ----------------------------------- 1 file changed, 36 deletions(-) This issue was resolved and addressed in GLSA 201904-17 at https://security.gentoo.org/glsa/201904-17 by GLSA coordinator Aaron Bauman (b-man). |