Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 

441d6314 by Salvatore Bonaccorso at 2018-04-07T08:14:14+02:00
Mark patch as no-dsa, can be fixed via point release

If one applies a patch without understanding what (potentially) happens
-- in particular here when processing ed diffs -- then one can smug in
as well malicious code in the patched code itself.

- - - - -

1 changed file:

- data/CVE/list


--- a/data/CVE/list
+++ b/data/CVE/list
@@ -129209,6 +129209,8 @@ CVE-2015-1418 (The do_ed_script function in pch.c in 
GNU patch through 2.7.6, an
        NOT-FOR-US: patch as used in FreeBSD specifically
 CVE-2018-1000156 (GNU Patch version 2.7.6 contains an input validation 
vulnerability ...)
        - patch 2.7.6-2 (bug #894993)
+       [stretch] - patch <no-dsa> (Can be fixed via point release)
+       [jessie] - patch <no-dsa> (Can be fixed via point release)
        NOTE: Upstream bug:

View it on GitLab:

View it on GitLab:
You're receiving this email because of your account on
Secure-testing-commits mailing list

Reply via email to