Debian has issued an advisory on July 27: https://www.debian.org/security/2019/dsa-4489 Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Ubuntu has issued an advisory for this on July 24: https://usn.ubuntu.com/4071-1/
RedHat has issued an advisory on September 17: https://access.redhat.com/errata/RHSA-2019:2798 It fixes one new CVE, CVE-2018-20969, which is fixed by the same commit that fixed CVE-2019-13638.
Summary: patch new security issues CVE-2019-13636 and CVE-2019-13638 => patch new security issues CVE-2019-13636, CVE-2019-13638, and CVE-2018-20969
Fedora has issued an advisory for the first two CVEs on August 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/
Status comment: (none) => Patches available from Debian, Ubuntu, and Fedora
Patched package uploaded for cauldron and Mageia 7. Advisory: ======================== Updated patch package fixes security vulnerabilities: * In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. (CVE-2019-13636). * A vulnerability was found in GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters (CVE-2019-13638). * A vulnerability was found in do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter (CVE-2018-20969). References: https://nvd.nist.gov/vuln/detail/CVE-2019-13636 https://nvd.nist.gov/vuln/detail/CVE-2019-13638 https://nvd.nist.gov/vuln/detail/CVE-2018-20969 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/ https://access.redhat.com/errata/RHSA-2019:2798 ======================== Updated packages in core/updates_testing: ======================== patch-2.7.6-4.1.mga7 from patch-2.7.6-4.1.mga7.src.rpm Test procedure https://bugs.mageia.org/show_bug.cgi?id=22587#c11
Whiteboard: MGA7TOO, MGA6TOO => (none)Version: Cauldron => 7Keywords: (none) => has_procedureAssignee: tmb => qa-bugsCC: (none) => mrambo
MGA7-64 Plasma on Lenovo B50 No installation issues Followed test as indicated above: $ mkdir dir1 $ ln -s dir1 dir2 $ echo a > dir2/a $ echo b > dir2/b $ diff -u dir2/a dir2/b > foo.diff $ patch -p0 < foo.diff patching file dir2/a [tester7@mach5 ~]$ more dir2/a b Is OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0093.html
Status: NEW => RESOLVEDResolution: (none) => FIXED