Bug 23704

Summary: patch new security issues CVE-2018-6951 and CVE-2018-6952
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bruno, herman.viaene, lewyssmith, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: patch-2.7.6-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-10-16 00:49:57 CEST 
Fedora has issued an advisory today (October 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DTAZPKCAJTAOK6CYQP7SPWNXDIAG4A37/

Mageia 6 is also affected.
David Walser 2018-10-16 00:50:03 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-16 19:52:44 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => tmb

Comment 2 Bruno Cornec 2018-11-10 02:18:35 CET 
CVE-2018-6951 is fixed by upstream patch:
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=f290f48a621867084884bfff87f8093c15195e6a
CVE-2018-6952 is fixed by upstream patch:
http://git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300

Pushing patch-2.7.6-4.mga7 to cauldron.

Status: NEW => ASSIGNED
Version: Cauldron => 6
CC: (none) => bruno
Assignee: tmb => bruno
Whiteboard: MGA6TOO => (none)

Comment 3 Bruno Cornec 2018-11-10 02:23:32 CET 
patch-2.7.6-1.1.mga6 on its way for testing_updates for mga6

Assignee: bruno => qa-bugs

Comment 4 David Walser 2018-11-10 14:10:59 CET 
Advisory:
========================

Updated patch packages fix security vulnerabilities:

A NULL pointer dereference flaw was found in the way patch processed patch
files. An attacker could potentially use this flaw to crash patch by tricking
it into processing crafted patches (CVE-2018-6951).

A double-free flaw was found in the way the patch utility processed patch
files. An attacker could potentially use this flaw to crash the patch utility
by tricking it into processing crafted patches (CVE-2018-6952).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DTAZPKCAJTAOK6CYQP7SPWNXDIAG4A37/
========================

Updated packages in core/updates_testing:
========================
patch-2.7.6-1.1.mga6

from patch-2.7.6-1.1.mga6.src.rpm
Comment 5 Herman Viaene 2018-11-14 15:17:32 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Followed test as per bug 22587 Comment 11
$  mkdir dir1
$ ln -s dir1 dir2
$ echo a > dir2/a
$ echo b > dir2/b
$ diff -u dir2/a dir2/b > foo.diff
$ patch -p0 < foo.diff
patching file dir2/a
$ more dir2/a
b

OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 6 Lewis Smith 2018-11-14 20:38:38 CET 
Thank you Herman for the test.
Advisoried from comment 4; and validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2018-11-15 23:05:38 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0448.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED