Bug 22587

Summary: patch new security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, herman.viaene, mageia, marja11, saintdoux95, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK mga6-32-ok
Source RPM: patch-2.7.5-2.mga6.src.rpm CVE:
Status comment: First two issues fixed upstream, third not fixed yet

Description David Walser 2018-02-14 02:56:53 CET 
A few security issues in patch have been announced today (February 13):
http://openwall.com/lists/oss-security/2018/02/13/3

It looks like the first two have been fixed upstream and the third hasn't been.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-14 02:57:10 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => First two issues fixed upstream, third not fixed yet

Comment 1 Marja Van Waes 2018-02-14 16:58:00 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => tmb

Saint Doux 2018-02-14 22:51:04 CET

Flags: (none) => in_errata7-
CC: (none) => saintdoux95

Comment 2 Saint Doux 2018-02-14 22:52:14 CET 
comment telecharger ce patch merci
Marja Van Waes 2018-02-16 17:07:50 CET

Flags: in_errata7- => (none)

Comment 3 David Walser 2018-02-24 16:58:43 CET 
Patch 2.7.6 itself fixed CVE-2016-10713, CVE-2018-6951, CVE-2018-6952, according to this Fedora advisory on February 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/32RICOL2D42H2MIK22XRP4LDOLKVPUFP/
David Walser 2018-03-15 20:59:30 CET

Whiteboard: MGA6TOO => MGA6TOO, MGA5TOO

Comment 4 David Walser 2018-04-08 01:24:37 CEST 
Another issue, CVE-2018-1000156:
http://openwall.com/lists/oss-security/2018/04/06/1
Comment 5 David Walser 2018-04-11 23:55:07 CEST 
Ubuntu has issued an advisory for this on April 10:
https://usn.ubuntu.com/3624-1/
Comment 6 David Walser 2018-05-02 23:35:50 CEST 
SUSE has issued an advisory for this today (May 2):
https://lists.opensuse.org/opensuse-security-announce/2018-05/msg00001.html
Comment 7 David Walser 2018-05-03 18:43:54 CEST 
openSUSE has issued an advisory for this today (May 3):
https://lists.opensuse.org/opensuse-updates/2018-05/msg00008.html
Comment 9 Thomas Backlund 2018-06-07 19:09:12 CEST 
Fixed in cauldron in patch-2.7.6-2.mga7


Mga6 package updated to 2.7.6 and added the fix for CVE-2018-1000156 


SRPM and RPM name:

patch-2.7.6-1.mga6

Assignee: tmb => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => (none)
Version: Cauldron => 6

Comment 10 David Walser 2018-06-09 00:16:32 CEST 
Advisory:
========================

Updated patch package fixes security vulnerabilities:

It was discovered that Patch incorrectly handled certain files. An attacker
could possibly use this to cause a denial of service (CVE-2016-10713).

It was discovered that Patch incorrectly handled certain inputs. An attacker
could possibly use this to cause a denial of service (CVE-2018-6951).

It was discovered that Patch incorrectly handled certain input validation. An
attacker could possibly use this to execute arbitrary code (CVE-2018-1000156).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10713
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000156
https://usn.ubuntu.com/3624-1/
========================

Updated packages in core/updates_testing:
========================
patch-2.7.6-1.mga5
patch-2.7.6-1.mga6

from SRPMS:
patch-2.7.6-1.mga5.src.rpm
patch-2.7.6-1.mga6.src.rpm

Whiteboard: (none) => MGA5TOO
Severity: normal => major

Comment 11 Herman Viaene 2018-06-09 10:53:12 CEST 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Followed test as per bug 16436 Comment 3:
$ mkdir dir1
$ ln -s dir1 dir2
$ echo a > dir2/a
$ echo b > dir2/b
$ diff -u dir2/a dir2/b > foo.diff
$ patch -p0 < foo.diff
$ more dir2/a
b
Seems OK to me.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 12 PC LX 2018-06-09 11:49:41 CEST 
Installed and tested without issue.

System: Mageia 6, x86_64, Intel CPU.

Tested using the trigger diff file at https://savannah.gnu.org/bugs/index.php?45990#attached
Also tested in normal use. No problems noticed.

$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q patch
patch-2.7.6-1.mga6

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
CC: (none) => mageia

Comment 13 Brian Rockwell 2018-06-11 17:49:15 CEST 
$ uname -a
Linux localhost 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 23:51:04 UTC 2018 i686 i686 i686 GNU/Linux



The following 2 packages are going to be installed:

- meta-task-6-3.1.mga6.noarch
- patch-2.7.6-1.mga6.i586

43KB of additional disk space will be used.

164KB of packages will be retrieved.

Is it ok to continue?


---

I followed the same example above and it worked.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK mga6-32-ok
CC: (none) => brtians1

Comment 14 claire robinson 2018-06-14 18:09:12 CEST 
Validating

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 claire robinson 2018-06-14 18:24:45 CEST 
Advisoried

Keywords: (none) => advisory

Comment 16 Mageia Robot 2018-06-14 20:15:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0277.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED