Fedora has issued an advisory today (October 15):
Mageia 6 is also affected.
Assigning to the registered maintainer.
CVE-2018-6951 is fixed by upstream patch:
CVE-2018-6952 is fixed by upstream patch:
Pushing patch-2.7.6-4.mga7 to cauldron.
patch-2.7.6-1.1.mga6 on its way for testing_updates for mga6
Updated patch packages fix security vulnerabilities:
A NULL pointer dereference flaw was found in the way patch processed patch
files. An attacker could potentially use this flaw to crash patch by tricking
it into processing crafted patches (CVE-2018-6951).
A double-free flaw was found in the way the patch utility processed patch
files. An attacker could potentially use this flaw to crash the patch utility
by tricking it into processing crafted patches (CVE-2018-6952).
Updated packages in core/updates_testing:
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Followed test as per bug 22587 Comment 11
$ mkdir dir1
$ ln -s dir1 dir2
$ echo a > dir2/a
$ echo b > dir2/b
$ diff -u dir2/a dir2/b > foo.diff
$ patch -p0 < foo.diff
patching file dir2/a
$ more dir2/a
OK for me.
Thank you Herman for the test.
Advisoried from comment 4; and validating.
An update for this issue has been pushed to the Mageia Updates repository.