Your message dated Wed, 13 Jun 2018 22:17:08 +0000 with message-id <e1fte4i-0008zq...@fasolo.debian.org> and subject line Bug#894993: fixed in patch 2.7.5-1+deb9u1 has caused the Debian Bug report #894993, regarding patch: CVE-2018-1000156: input validation vulnerability when processing patch files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894993: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894993 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: patchutils Version: 0.3.4-2 Severity: normal Tags: security As mentioned at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667 and https://rachelbythebay.com/w/2018/04/05/bangpatch/, it's possible for someone to create an ed diff that contains arbitrary commands, which patch will then dutifully execute. This behavior, which FreeBSD and OpenBSD have issued security advisories for, is surprising and not likely to be appreciated by users. POSIX 1003.1-2008[0] restricts the valid commands in an ed diff to a, c, d, i, and s. patch should ensure any input it sends to ed contains only those commands and abort if it does not. [0] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/diff.html -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-rc6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages patchutils depends on: ii debianutils 4.8.4 ii libc6 2.27-3 ii patch 2.7.6-1 ii perl 5.26.1-5 patchutils recommends no packages. patchutils suggests no packages. -- no debconf information -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: patch Source-Version: 2.7.5-1+deb9u1 We believe that the bug you reported is fixed in the latest version of patch, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated patch package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 16 Apr 2018 20:48:43 +0000 Source: patch Binary: patch Architecture: source amd64 Version: 2.7.5-1+deb9u1 Distribution: stretch Urgency: medium Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Description: patch - Apply a diff file to an original Closes: 894993 Changes: patch (2.7.5-1+deb9u1) stretch; urgency=medium . * Fix CVE-2018-1000156: arbitrary command execution in ed-style patches (closes: #894993). Checksums-Sha1: 96b77e88afb91b828289109bdc0a2eab9ffb8ab3 1840 patch_2.7.5-1+deb9u1.dsc d66e3a914b19c0a6f1ec06c0f9912fa3b704be1f 10584 patch_2.7.5-1+deb9u1.debian.tar.xz 4b5bcc7a40b67350939c77deddad27306d477a87 169198 patch-dbgsym_2.7.5-1+deb9u1_amd64.deb 222193f00d9cc0f1e766b49cf5cd47dd637fa6fc 6290 patch_2.7.5-1+deb9u1_amd64.buildinfo be60ed17580be3bde3ed10952e77922f9dcdd115 111626 patch_2.7.5-1+deb9u1_amd64.deb Checksums-Sha256: 90ff999a9bce963d2adf7afab34aca5227d861bdee85fc8bb324581c1cca0350 1840 patch_2.7.5-1+deb9u1.dsc 8f040aa1abb96579d114bac43d8e0d8f22ef63c689d1ebebd17941fa37d11577 10584 patch_2.7.5-1+deb9u1.debian.tar.xz 202f950959371ff6ed95f9e7b5358fdf380e53073908b234abd124edcb202258 169198 patch-dbgsym_2.7.5-1+deb9u1_amd64.deb e752b00e3e21dbb15ee44f997ad3c0652253a865260ce99182168e60bdcac1f6 6290 patch_2.7.5-1+deb9u1_amd64.buildinfo 88d2965ae2b927e17f86b373b4088bd68ccdb1c625134a0b5d1522d78bfcd12f 111626 patch_2.7.5-1+deb9u1_amd64.deb Files: 13a6efcbe9ebfec737686cbbb62abada 1840 vcs standard patch_2.7.5-1+deb9u1.dsc 4b7f5c8b2c0d0dba7bfe96fb3c0180b4 10584 vcs standard patch_2.7.5-1+deb9u1.debian.tar.xz b1c850fef8e60d37da96aabc65678ff0 169198 debug extra patch-dbgsym_2.7.5-1+deb9u1_amd64.deb 46fea8036ce16d0cf1cd62907a440b78 6290 vcs standard patch_2.7.5-1+deb9u1_amd64.buildinfo b234a85eb20fc1004d15a053e1ca5baf 111626 vcs standard patch_2.7.5-1+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlsgMt0ACgkQ3OMQ54ZM yL8fEQ/9F7uqSztfZfxt6Ig+PZswWUoFAZT6cn/D5s07NBdlmGkf7swl0gVAR+WI 8tNZ2lS2ztWwGmgKvbnd4gRlIP8Kslo1tKO+1VZK+jqsihigtD48JvPqK4wTxLzI O5X2TNmPhypMMSVNZRminh720aUKlS4Yq1JsoiCd9vRXNao6z3zJiqcSX43ZsUEN m0Z0ZM2WVJ+lW6q0v4kg6Reukskwel1SkTaJIiTH9+l1Motsg38wqcqps9GaIIXD tsbLl2qKKmd5HyG5uiYYSkMZ80FDzFqEnsj0qE6uTKhZcxP4Srsgg+KPS2F7eWaA d8U4N2TiskyvJDcZlS6VcNIzbx8JaEHfPCsJVHdF57QASPALNqLaRxmYqSvyJrC3 yOUm8iNeGAXZQG32tcRMeDKa4wjeR5yxVW1CopI4bGmrd945Acenz26WJXddFF19 y6UIhk5kuiqmEPTiP8vgUHHtpcrlMClkeD6x46j1yhdoImokGvdMrX+KJfc9HTQH lM7mrPOySr0oG+2yuIFSwNz7RSrLeiwyiRtzfZeu5Aw4HLw1hRbZ20TV+4sioGMu JMs2ZKzQSD7W62yBZadVK4EGQP8Kv2Dstg3rCaGfq7unZQRtXSo4yUrA6Mnn6XMY Sw0Frc0SB38tw1yT595DOXceouHujVovte8rPw7EvQARls2LeDw= =7ljG -----END PGP SIGNATURE-----
--- End Message ---
