Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 647792 - <sys-devel/patch-2.7.6-r3: Double free of memory in pch.c:another_hunk() causes a crash (CVE-2018-6952)
Summary: <sys-devel/patch-2.7.6-r3: Double free of memory in pch.c:another_hunk() caus...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on: CVE-2018-1000156
  Show dependency tree
Reported: 2018-02-16 00:33 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-17 18:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-16 00:33:40 UTC
CVE-2018-6952 (
  A double free exists in the another_hunk function in pch.c in GNU patch
  through 2.7.6.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-03-24 04:05:32 UTC
Upstream fix:

Hopefully, it will be in the next release.
Comment 2 Larry the Git Cow gentoo-dev 2019-03-28 00:33:15 UTC
The bug has been referenced in the following commit(s):

commit 5c55ece4eee17a954740b8ecc03b1cb8ed58c123
Author:     Thomas Deutschmann <>
AuthorDate: 2019-03-28 00:32:30 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2019-03-28 00:33:05 +0000

    sys-devel/patch: add patches for CVE-2018-{6951,6952}, CVE-2018-1000156
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <>

 .../patch/files/patch-2.7.6-CVE-2018-1000156.patch | 150 +++++++++++++++++++++
 .../patch/files/patch-2.7.6-CVE-2018-6951.patch    |  29 ++++
 .../patch/files/patch-2.7.6-CVE-2018-6952.patch    |  30 +++++
 ...-files-to-be-missing-for-ed-style-patches.patch |  25 ++++
 sys-devel/patch/patch-2.7.6-r3.ebuild              |  40 ++++++
 5 files changed, 274 insertions(+)
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2019-04-17 18:29:58 UTC
This issue was resolved and addressed in
 GLSA 201904-17 at
by GLSA coordinator Aaron Bauman (b-man).