Your message dated Fri, 06 Apr 2018 16:20:24 +0000 with message-id <e1f4u6c-000gat...@fasolo.debian.org> and subject line Bug#894993: fixed in patch 2.7.6-2 has caused the Debian Bug report #894993, regarding patch: CVE-2018-1000156: input validation vulnerability when processing patch files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894993: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894993 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: patchutils Version: 0.3.4-2 Severity: normal Tags: security As mentioned at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667 and https://rachelbythebay.com/w/2018/04/05/bangpatch/, it's possible for someone to create an ed diff that contains arbitrary commands, which patch will then dutifully execute. This behavior, which FreeBSD and OpenBSD have issued security advisories for, is surprising and not likely to be appreciated by users. POSIX 1003.1-2008[0] restricts the valid commands in an ed diff to a, c, d, i, and s. patch should ensure any input it sends to ed contains only those commands and abort if it does not. [0] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/diff.html -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-rc6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages patchutils depends on: ii debianutils 4.8.4 ii libc6 2.27-3 ii patch 2.7.6-1 ii perl 5.26.1-5 patchutils recommends no packages. patchutils suggests no packages. -- no debconf information -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: patch Source-Version: 2.7.6-2 We believe that the bug you reported is fixed in the latest version of patch, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated patch package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 06 Apr 2018 15:20:36 +0000 Source: patch Binary: patch Architecture: source amd64 Version: 2.7.6-2 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Description: patch - Apply a diff file to an original Closes: 894993 Changes: patch (2.7.6-2) unstable; urgency=high . * Backport patches from upstream Git tree: - fix NULL pointer read with mangled rename, - allow input files to be missing for ed-style patches, - CVE-2018-1000156: fix arbitrary command execution in ed-style patches (closes: #894993). * Disable Vcs-* fields for now. Checksums-Sha1: e716aecc94693a4a3f985f4a736e2a8563844229 1699 patch_2.7.6-2.dsc 46574339eeb4d143377435b29474f82bdf1a021b 10620 patch_2.7.6-2.debian.tar.xz a3e838e4e5068a7e2020050c6443721fdba7c173 182584 patch-dbgsym_2.7.6-2_amd64.deb 65792f7327b56b51cf43b76cdc3d005661aa94e2 6573 patch_2.7.6-2_amd64.buildinfo 54cb5d02417a04654c8b971588946c6f1c6972d7 123004 patch_2.7.6-2_amd64.deb Checksums-Sha256: 79a3abea712134d1dbedfe4377c493f059338c665a458c1db106aeb72c844890 1699 patch_2.7.6-2.dsc 10520677ca3da2be51fa429e6b661ba2781500ecd8f2dca8dfcbeba751627195 10620 patch_2.7.6-2.debian.tar.xz 56886732a72fcabafa26dc9b55b931fdf1247af5ea63d70882ebeebd790c515b 182584 patch-dbgsym_2.7.6-2_amd64.deb c1bcdff872ab4d396af9f3d57b3242d279a957bdeb9c973de5cd8d429146ff03 6573 patch_2.7.6-2_amd64.buildinfo 8f9d1bdf06d42ad31d4ee39eec575f335cdcd80bd3a9b42d4ecbf45bf22d3843 123004 patch_2.7.6-2_amd64.deb Files: c129120ce73b83d5df226d7bac283e00 1699 vcs standard patch_2.7.6-2.dsc 7a785ca6bb1e14f0026f1c7e490019c3 10620 vcs standard patch_2.7.6-2.debian.tar.xz 0eae9c2cdab771503a52c43def4dcc9b 182584 debug optional patch-dbgsym_2.7.6-2_amd64.deb ef3368069e097a765b44358c0bbc3987 6573 vcs standard patch_2.7.6-2_amd64.buildinfo 22d764ab7af7cb4a491037fc8b45e599 123004 vcs standard patch_2.7.6-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlrHmpAACgkQ3OMQ54ZM yL8+8RAAlElziSJ6dmM88uhkzXKNnuoZveCwIHWhvXYLEORWujys3mjYFBNyNtUv AgpqATLhzjYKUdwvLC1pglnmGE1KHgw75/DS6GBo0PNBBg7CFkQa5z1zfrE08kG6 /z+fBIgn93nMu5NcjDiq2dC70Bv2jaMmyKtwBe0ujhZRcr1Pmv3lAfSz3KjWsoRs 6TZTcdrYahRDQg2dhQ8ZnwOeyVjJSnCk7kmrGFcgRCGoO389HWZ4FzyY/mqHVsv2 Lratv/UreC1fDUtHCBDJJxP7PYAi+G7w9uMnADLRrRhEB6oshqmM4Cjowd2jXZuJ iCuZ8qMQalhtJPi2kDlE4qV6+yRi0XzKfKwwP8ZKy5/XPyTrC+cE2ZvxPvUJYRve UuNUzbnKQsZ42xWH+QJFlW8sBNapRUvY7kxF5flQ5dPI60KIrwF2qO70UU9ueHu4 rEcBhfiEMeVBx/82TkIKy074E9q9hmQTKklzIdG0cFg6r/tPBcZ+niPTIonRepT8 zY2Zz+jPHpL1y9YV9fCJZpFubo6S//6XfUuyggdXeWS1F2Q3GYz1XSW8VcNJQeKB e1lPODpSmgxQOMACIhKLiaVN0mSox4bmSmP0uzkaXVHN38YPQAn6TIdfWKVnKf4L X9fgk1oWpYF8JR1SzfZf9dIWjv1QhDggm1WBNCnnkGdoobRayKs= =O9dx -----END PGP SIGNATURE-----
--- End Message ---
