Your message dated Tue, 12 Jun 2018 20:43:56 +0000 with message-id <e1fsq8y-000azj...@fasolo.debian.org> and subject line Bug#894993: fixed in patch 2.7.5-1+deb8u1 has caused the Debian Bug report #894993, regarding patch: CVE-2018-1000156: input validation vulnerability when processing patch files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 894993: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894993 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: patchutils Version: 0.3.4-2 Severity: normal Tags: security As mentioned at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667 and https://rachelbythebay.com/w/2018/04/05/bangpatch/, it's possible for someone to create an ed diff that contains arbitrary commands, which patch will then dutifully execute. This behavior, which FreeBSD and OpenBSD have issued security advisories for, is surprising and not likely to be appreciated by users. POSIX 1003.1-2008[0] restricts the valid commands in an ed diff to a, c, d, i, and s. patch should ensure any input it sends to ed contains only those commands and abort if it does not. [0] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/diff.html -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-rc6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages patchutils depends on: ii debianutils 4.8.4 ii libc6 2.27-3 ii patch 2.7.6-1 ii perl 5.26.1-5 patchutils recommends no packages. patchutils suggests no packages. -- no debconf information -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: patch Source-Version: 2.7.5-1+deb8u1 We believe that the bug you reported is fixed in the latest version of patch, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 894...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated patch package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 16 Apr 2018 20:48:14 +0000 Source: patch Binary: patch Architecture: source amd64 Version: 2.7.5-1+deb8u1 Distribution: jessie Urgency: medium Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Description: patch - Apply a diff file to an original Closes: 894993 Changes: patch (2.7.5-1+deb8u1) jessie; urgency=medium . * Fix CVE-2018-1000156: arbitrary command execution in ed-style patches (closes: #894993). Checksums-Sha1: 954ea3a8c7b27197753a1cb792cb2a31b91c6943 1860 patch_2.7.5-1+deb8u1.dsc 728fbaf17eb53ea67ac79568f44604a14607af44 10612 patch_2.7.5-1+deb8u1.debian.tar.xz ec7b15aba558d48ec91225bce13cde00664f0baa 109460 patch_2.7.5-1+deb8u1_amd64.deb Checksums-Sha256: 5cf36254ba67fa20973387617c4d22c9ffb4774aab29cb80424344921a875c1f 1860 patch_2.7.5-1+deb8u1.dsc 4b0158c62f63e24b42d7bcfbd6f7268176f9b29b2150c0d3633234e82c3b0d20 10612 patch_2.7.5-1+deb8u1.debian.tar.xz 5272a26273fd799ec1ec74db0e01df5883abbdf8b7e343ad28227295f660c35d 109460 patch_2.7.5-1+deb8u1_amd64.deb Files: ca5b826b4b4659a1d4dc454ef72ae3d6 1860 vcs standard patch_2.7.5-1+deb8u1.dsc 3476fe99dafd2b8432997eae12ac89d9 10612 vcs standard patch_2.7.5-1+deb8u1.debian.tar.xz a6f7056a5bbe6bc41f64882f07b7c787 109460 vcs standard patch_2.7.5-1+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlsezWcACgkQ3OMQ54ZM yL+zrhAAmyAgTTmNymeEY/1veJdMy4U5+iZKPSBXUotSiDznv+s+dIy29TqSUSGp NvQR/MoDzUK3bbxQJjo1HI6MgJB4Iwb9xYaWdyPFGFP2Ph6oBYsaSwwUI8RvDzqv S+siR9kaPWb2q4F7wzWZdRCYvBk3tzDMpgFbql1+Wm+HJojUgXfQl0hmJ2WEXSBX PoMFiH6HCO+7u+5IE6ktyPbNIThttpARP14mj1xldr8E6Kd0tuuVw6YOPCCYsSqq BqOyOqyTJbFvPFHy1tnsWLMcBRWvzBU2AWCHqbz5hOXvt9JNqmW2Uk/qrgWDkBey Fg3BJEX06JWajnq6dXaw9vhq6ZH9JbErP7BELtjP1b0rDi5UVAkzp7UtMjYbPMth nBifvX0ixa7fegXCN0w55+GLiSgROyxqxfZIIcUt5HGmgP/Bd1qCh7H6YVGs9Kkj shCa5dc09LHYbJhIxP9zBRE7B+slg9GEaBIVewHOBzX6QGBDymg1JaQaHtRkC1QH ypeCAPlXOHJUVLagQER1b4daEpWHTP46HiSwdlArEh79C7XQlQdlcUvPCpBsZ8vB L9z28nWkH0BMA9wd/34xcZ3gfK4cx64BEZTddnGnv3XLLSH3/wvbRNpF7MFte+rW tURoAm6Dsx/LB/frB6Z0/QRRCzZ1qW62bRl8IfqVvVgAoy0izdM= =3O+w -----END PGP SIGNATURE-----
--- End Message ---
