GNU patch version 2.7.6 was released in 2018, six years ago. Since then, a bunch of fixes have been made.
Gentoo currently backports 12 commits from patch's master branch, including a bunch of CVE fixes. Even this isn't enough to fix for example https://bugs.gentoo.org/898598 which simply requires a new dist tarball with updated gnulib. (Unfortunately, updating gnulib is sufficiently complex I'm afraid to touch it, and it is definitely going to be a problem to do it fully offline as needed for distro packaging, especially for a oneshot event.) gnulib was updated in response to the email thread: "Build failure caused by out of date gnulib" So it sounds like other people would appreciate a new release as well. In particular I think it's important that CVE fixes be available in a new dist tarball, to avoid the issue that not everyone will realize they need to backport these fixes, and as a result, potentially end up with a vulnerable `patch` binary. -- Eli Schwartz
OpenPGP_0x84818A6819AF4A9B.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
