Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 690136 (CVE-2019-13636, CVE-2019-13638) - <sys-devel/patch-2.7.6-r4: multiple vulnerabilities
Summary: <sys-devel/patch-2.7.6-r4: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-13636, CVE-2019-13638
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-18 08:43 UTC by D'juan McDonald (domhnall)
Modified: 2019-08-23 10:27 UTC (History)
2 users (show)

See Also:
Package list:
sys-devel/patch-2.7.6-r4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
patch-2.7.6-r4.ebuild (patch-2.7.6-r4.ebuild,1.36 KB, text/plain)
2019-08-16 08:07 UTC, Teika kazura
no flags Details
patch-2.7.6-CVE-2019-13636.patch (patch-2.7.6-CVE-2019-13636.patch,3.66 KB, patch)
2019-08-16 08:08 UTC, Teika kazura
no flags Details | Diff
patch-2.7.6-CVE-2019-13638.patch (patch-2.7.6-CVE-2019-13638.patch,1.16 KB, patch)
2019-08-16 08:09 UTC, Teika kazura
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-18 08:43:29 UTC
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13636):

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.

upstream patch: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a


Gentoo Security Padawan
(domhnall)
Comment 1 Teika kazura 2019-07-29 00:02:22 UTC
There's also cve-2019-13638 (shell command injection vuln). See e.g. https://security-tracker.debian.org/tracker/CVE-2019-13638 
The upstream fix is also ready:
 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0

Regards.
Comment 2 Teika kazura 2019-08-16 08:07:09 UTC
Created attachment 587032 [details]
patch-2.7.6-r4.ebuild

I've created an ebuild that incorporates the above two patches for Gentoo users' sake.

Use at your own risk. At least it can src_prepare itself.
Comment 3 Teika kazura 2019-08-16 08:08:25 UTC
Created attachment 587034 [details, diff]
patch-2.7.6-CVE-2019-13636.patch

CVE-2019-13636 part.
Comment 4 Teika kazura 2019-08-16 08:09:36 UTC
Created attachment 587036 [details, diff]
patch-2.7.6-CVE-2019-13638.patch

CVE-2019-13638 part.

Best regards.
Comment 5 Teika kazura 2019-08-16 08:22:06 UTC
The above ebuild is my personal work, *NOT* by a Gentoo developer. Sorry to have forgotten to mention it in the first place. But hope it helps for someone.
Comment 6 Larry the Git Cow gentoo-dev 2019-08-16 12:40:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4e5bfd9d4c04c2f942bbecce62e4394d827de16

commit b4e5bfd9d4c04c2f942bbecce62e4394d827de16
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-08-16 12:38:46 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-08-16 12:40:22 +0000

    sys-devel/patch: rev bump to add some patches
    
    Bug: https://bugs.gentoo.org/690136
    Package-Manager: Portage-2.3.71, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ...lid-memory-access-in-context-format-diffs.patch |  26 +++++
 .../files/patch-2.7.6-CVE-2018-1000156-fix1.patch  | 102 +++++++++++++++++++
 .../files/patch-2.7.6-CVE-2018-1000156-fix2.patch  |  37 +++++++
 .../patch/files/patch-2.7.6-CVE-2019-13636.patch   | 108 +++++++++++++++++++++
 .../patch/files/patch-2.7.6-CVE-2019-13638.patch   |  38 ++++++++
 ...hen-RLIMIT_NOFILE-is-set-to-RLIM_INFINITY.patch |  89 +++++++++++++++++
 sys-devel/patch/patch-2.7.6-r4.ebuild              |  46 +++++++++
 7 files changed, 446 insertions(+)
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-08-16 21:50:05 UTC
amd64 stable
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-16 21:52:52 UTC
arm64 stable
Comment 9 Thomas Deutschmann gentoo-dev Security 2019-08-16 22:40:05 UTC
x86 stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2019-08-18 02:25:30 UTC
This issue was resolved and addressed in
 GLSA 201908-22 at https://security.gentoo.org/glsa/201908-22
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-18 02:26:01 UTC
re-open for final arches
Comment 12 Rolf Eike Beer 2019-08-18 08:39:59 UTC
sparc stable
Comment 13 Sergei Trofimovich gentoo-dev 2019-08-18 10:16:40 UTC
ia64/ppc/ppc64 stable
Comment 14 Sergei Trofimovich gentoo-dev 2019-08-19 07:03:08 UTC
hppa stable
Comment 15 Agostino Sarubbo gentoo-dev 2019-08-23 10:00:34 UTC
s390 stable
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-08-23 10:24:33 UTC
sh stable
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-08-23 10:24:56 UTC
m68k stable
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-08-23 10:25:17 UTC
alpha stable
Comment 19 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-08-23 10:25:58 UTC
arm stable