Summary: | <sys-devel/patch-2.7.6-r4: multiple vulnerabilities | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | major | CC: | base-system, teika | ||||||||
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | A2 [glsa+ cve] | ||||||||||
Package list: |
sys-devel/patch-2.7.6-r4
|
Runtime testing required: | --- | ||||||||
Attachments: |
|
Description
D'juan McDonald (domhnall)
2019-07-18 08:43:29 UTC
There's also cve-2019-13638 (shell command injection vuln). See e.g. https://security-tracker.debian.org/tracker/CVE-2019-13638 The upstream fix is also ready: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 Regards. Created attachment 587032 [details]
patch-2.7.6-r4.ebuild
I've created an ebuild that incorporates the above two patches for Gentoo users' sake.
Use at your own risk. At least it can src_prepare itself.
Created attachment 587034 [details, diff]
patch-2.7.6-CVE-2019-13636.patch
CVE-2019-13636 part.
Created attachment 587036 [details, diff]
patch-2.7.6-CVE-2019-13638.patch
CVE-2019-13638 part.
Best regards.
The above ebuild is my personal work, *NOT* by a Gentoo developer. Sorry to have forgotten to mention it in the first place. But hope it helps for someone. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4e5bfd9d4c04c2f942bbecce62e4394d827de16 commit b4e5bfd9d4c04c2f942bbecce62e4394d827de16 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-08-16 12:38:46 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-08-16 12:40:22 +0000 sys-devel/patch: rev bump to add some patches Bug: https://bugs.gentoo.org/690136 Package-Manager: Portage-2.3.71, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> ...lid-memory-access-in-context-format-diffs.patch | 26 +++++ .../files/patch-2.7.6-CVE-2018-1000156-fix1.patch | 102 +++++++++++++++++++ .../files/patch-2.7.6-CVE-2018-1000156-fix2.patch | 37 +++++++ .../patch/files/patch-2.7.6-CVE-2019-13636.patch | 108 +++++++++++++++++++++ .../patch/files/patch-2.7.6-CVE-2019-13638.patch | 38 ++++++++ ...hen-RLIMIT_NOFILE-is-set-to-RLIM_INFINITY.patch | 89 +++++++++++++++++ sys-devel/patch/patch-2.7.6-r4.ebuild | 46 +++++++++ 7 files changed, 446 insertions(+) amd64 stable arm64 stable x86 stable This issue was resolved and addressed in GLSA 201908-22 at https://security.gentoo.org/glsa/201908-22 by GLSA coordinator Aaron Bauman (b-man). re-open for final arches sparc stable ia64/ppc/ppc64 stable hppa stable s390 stable sh stable m68k stable alpha stable arm stable |