Hello community, here is the log from the commit of package patch for openSUSE:Factory checked in at 2018-03-30 11:55:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/patch (Old) and /work/SRC/openSUSE:Factory/.patch.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patch" Fri Mar 30 11:55:13 2018 rev:41 rq:590591 version:2.7.6 Changes: -------- --- /work/SRC/openSUSE:Factory/patch/patch.changes 2015-03-16 06:55:04.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.patch.new/patch.changes 2018-03-30 11:55:15.032143755 +0200 @@ -1,0 +2,24 @@ +Thu Mar 22 09:43:43 CET 2018 - jdelv...@suse.de + +- Move COPYING from %doc to %license. + +------------------------------------------------------------------- +Wed Mar 21 16:44:09 CET 2018 - jdelv...@suse.de + +- Add AUTHORS and COPYING to %doc. +- fix-segfault-mangled-rename.patch: Fix segfault with mangled + rename patch (bsc#1080951, CVE-2018-6951, savannah#53132). + +------------------------------------------------------------------- +Wed Feb 7 18:43:51 UTC 2018 - astie...@suse.com + +- patch 2.7.6: + * Files specified on the command line are no longer verified to + be inside the current working directory, so commands like + "patch -i foo.diff ../foo" will work again + * Fixes CVE-2016-10713 (Out-of-bounds access within + pch_write_line() in pch.c could possibly lead to DoS via a + crafted input file; bsc#1080918) + * Various fixes + +------------------------------------------------------------------- Old: ---- patch-2.7.5.tar.xz patch-2.7.5.tar.xz.sig New: ---- fix-segfault-mangled-rename.patch patch-2.7.6.tar.xz patch-2.7.6.tar.xz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ patch.spec ++++++ --- /var/tmp/diff_new_pack.fLnRZr/_old 2018-03-30 11:55:15.904112220 +0200 +++ /var/tmp/diff_new_pack.fLnRZr/_new 2018-03-30 11:55:15.904112220 +0200 @@ -1,7 +1,7 @@ # # spec file for package patch # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: patch -Version: 2.7.5 +Version: 2.7.6 Release: 0 Summary: GNU patch License: GPL-3.0+ @@ -26,13 +26,13 @@ Source: http://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.xz Source2: http://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.xz.sig Source3: http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=patch&download=1#/patch.keyring -%if 0%{?suse_version} < 1220 -BuildRequires: xz -%endif -BuildRoot: %{_tmppath}/%{name}-%{version}-build +Patch1: fix-segfault-mangled-rename.patch # See bnc#662957. The fix for CVE-2010-4651 breaks the way interdiff was # invoking patch, so interdiff had to be fixed too. Conflicts: patchutils < 0.3.2 +%if 0%{?suse_version} < 1220 +BuildRequires: xz +%endif %description The GNU patch program is used to apply diffs between original and @@ -40,6 +40,7 @@ %prep %setup -q +%patch1 -p1 %build export CFLAGS="%{optflags} -Wall -O2 -pipe" @@ -53,9 +54,13 @@ make install DESTDIR=%{buildroot} %{verbose:V=1} %files -%defattr(-,root,root) -%doc NEWS README +%doc AUTHORS NEWS README +%if 0%{?suse_version} >= 1500 +%license COPYING +%else +%doc COPYING +%endif %{_bindir}/patch -%doc %{_mandir}/man1/patch.1.gz +%{_mandir}/man1/patch.1%{ext_man} %changelog ++++++ fix-segfault-mangled-rename.patch ++++++ From: Andreas Gruenbacher <agr...@gnu.org> Date: Mon, 12 Feb 2018 16:48:24 +0100 Subject: Fix segfault with mangled rename patch Patch-mainline: yes Git-commit: f290f48a621867084884bfff87f8093c15195e6a References: bsc#1080951, CVE-2018-6951, savannah#53133 http://savannah.gnu.org/bugs/?53132 * src/pch.c (intuit_diff_type): Ensure that two filenames are specified for renames and copies (fix the existing check). diff --git a/src/pch.c b/src/pch.c index ff9ed2c..bc6278c 100644 --- a/src/pch.c +++ b/src/pch.c @@ -974,7 +974,8 @@ intuit_diff_type (bool need_header, mode_t *p_file_type) if ((pch_rename () || pch_copy ()) && ! inname && ! ((i == OLD || i == NEW) && - p_name[! reverse] && + p_name[reverse] && p_name[! reverse] && + name_is_valid (p_name[reverse]) && name_is_valid (p_name[! reverse]))) { say ("Cannot %s file without two valid file names\n", pch_rename () ? "rename" : "copy"); ++++++ patch-2.7.5.tar.xz -> patch-2.7.6.tar.xz ++++++ ++++ 62545 lines of diff (skipped) ++++++ patch.keyring ++++++ Binary files /var/tmp/diff_new_pack.fLnRZr/_old and /var/tmp/diff_new_pack.fLnRZr/_new differ
