A few security issues in patch have been announced today (February 13):
It looks like the first two have been fixed upstream and the third hasn't been.
Mageia 5 and Mageia 6 are also affected.
First two issues fixed upstream, third not fixed yet
Assigning to the registered maintainer.
comment telecharger ce patch merci
Patch 2.7.6 itself fixed CVE-2016-10713, CVE-2018-6951, CVE-2018-6952, according to this Fedora advisory on February 20:
Another issue, CVE-2018-1000156:
Ubuntu has issued an advisory for this on April 10:
SUSE has issued an advisory for this today (May 2):
openSUSE has issued an advisory for this today (May 3):
Fedora advisory for CVE-2018-1000156 from May 9:
Fixed in cauldron in patch-2.7.6-2.mga7
Mga6 package updated to 2.7.6 and added the fix for CVE-2018-1000156
SRPM and RPM name:
MGA6TOO, MGA5TOO =>
Updated patch package fixes security vulnerabilities:
It was discovered that Patch incorrectly handled certain files. An attacker
could possibly use this to cause a denial of service (CVE-2016-10713).
It was discovered that Patch incorrectly handled certain inputs. An attacker
could possibly use this to cause a denial of service (CVE-2018-6951).
It was discovered that Patch incorrectly handled certain input validation. An
attacker could possibly use this to execute arbitrary code (CVE-2018-1000156).
Updated packages in core/updates_testing:
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Followed test as per bug 16436 Comment 3:
$ mkdir dir1
$ ln -s dir1 dir2
$ echo a > dir2/a
$ echo b > dir2/b
$ diff -u dir2/a dir2/b > foo.diff
$ patch -p0 < foo.diff
$ more dir2/a
Seems OK to me.
Installed and tested without issue.
System: Mageia 6, x86_64, Intel CPU.
Tested using the trigger diff file at https://savannah.gnu.org/bugs/index.php?45990#attached
Also tested in normal use. No problems noticed.
$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q patch
MGA5TOO MGA5-32-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OKCC:
$ uname -a
Linux localhost 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 23:51:04 UTC 2018 i686 i686 i686 GNU/Linux
The following 2 packages are going to be installed:
43KB of additional disk space will be used.
164KB of packages will be retrieved.
Is it ok to continue?
I followed the same example above and it worked.
MGA5TOO MGA5-32-OK MGA6-64-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OK mga6-32-ok
An update for this issue has been pushed to the Mageia Updates repository.