Sunday, May 31, 2020

Re: Fix GNU patch CVE-2018-1000156

On Sun, May 31, 2020 at 01:40:17AM +0000, Brian Callahan wrote:
> Hi ports --
>
> repology.org has a new feature where it tracks the CVEs against its
> database of software. I decided to check it out to see if any of my
> ports were vulnerable. I discovered that our GNU patch is vulnerable
> to CVE-2018-1000156. It has been fixed upstream but no new release
> has been made including the fix. So I cherry-picked it for our
> package.
>
> Upstream does have a test with it, but adding the test to the build
> would bring in a dependency on autotools, so I left it out but I did
> confirm that the test passes on amd64 and sparc64.
>
> Tested on amd64 and sparc64. Additionally, on amd64 I built
> everything that depends on gpatch. Libreoffice is still building;
> will report back if it fails to build.

Looks good. Perhaps you want to indicate that the first hunk fixes
something else?

Note that upstream added a few fixes for this patch on top of this patch
(e.g., fwrite return value checks and cleanup for the tempfile on error)
You might want to pull those in as well - your call.

ok tb

as it is.

> Should this be backported to -stable?

If you want to do the work, sure. I don't think it's that big a deal if
you don't. Note though that it is used as a BDEP for a handful of ports.

No comments:

Post a Comment