Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 441d6314 by Salvatore Bonaccorso at 2018-04-07T08:14:14+02:00 Mark patch as no-dsa, can be fixed via point release If one applies a patch without understanding what (potentially) happens -- in particular here when processing ed diffs -- then one can smug in as well malicious code in the patched code itself. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -129209,6 +129209,8 @@ CVE-2015-1418 (The do_ed_script function in pch.c in GNU patch through 2.7.6, an NOT-FOR-US: patch as used in FreeBSD specifically CVE-2018-1000156 (GNU Patch version 2.7.6 contains an input validation vulnerability ...) - patch 2.7.6-2 (bug #894993) + [stretch] - patch <no-dsa> (Can be fixed via point release) + [jessie] - patch <no-dsa> (Can be fixed via point release) NOTE: Upstream bug: https://savannah.gnu.org/bugs/?53566 NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/ NOTE: https://twitter.com/kurtseifried/status/982028968877436928 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/441d63141a98b7234a6ce2f16a613976ce6cfc6f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/441d63141a98b7234a6ce2f16a613976ce6cfc6f You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits