From ${URL} : It was reported [1] that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch. A reproducer for this issue is available in [1]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*patch-2.7.2 (21 Jan 2015) + + 21 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -patch-2.5.9.ebuild, + -patch-2.5.9-r1.ebuild, -patch-2.7.1-r2.ebuild, +patch-2.7.2.ebuild, + -files/patch-2.5.9-cr-stripping.patch, + -files/patch-2.7.1-Fix-removing-empty-directories-automake.patch: + Security bump (bug #536614). Removed old. + As this is a crucial package for us I'd like to have it sit in testing (~arch) for a couple of days before we start stabilization process.
+*patch-2.7.2-r1 (23 Jan 2015) + + 23 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> +patch-2.7.2-r1.ebuild, + +files/patch-2.7.2-fix_for_CVE-2015-1196_fix.patch, + +files/patch-2.7.2-valid_filenames_on_renames_and_copies.patch: + Revbump to add two upstream fixes. + =sys-devel/2.7.2-r1 will be the stable candidate regarding this security bug.
+*patch-2.7.3 (23 Jan 2015) + + 23 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -patch-2.7.2-r1.ebuild, + +patch-2.7.3.ebuild: + Rather use latest release than patch the previous one (d'oh!) + =sys-devel/2.7.3 will be the stable candidate regarding this security bug.
I mean =sys-devel/patch-2.7.3
CVE-2015-1196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1196): GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Arches please test and mark stable =sys-devel/patch-2.7.3 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Stable for HPPA.
amd64 stable
There's a complaint about this version here : https://lkml.org/lkml/2015/1/26/522
ppc stable
arm stable
x86 stable
sparc stable
ppc64 stable
ia64 stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: no.
GLSA Vote: No
Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), Thank you for you for cleanup as part of Bug 537596