Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#57526 - [patch] [Security] multiple issues (CVE-2018-6952 CVE-2018-6951)

Attached to Project: Arch Linux
Opened by Morten Linderud (Foxboron) - Thursday, 15 February 2018, 23:37 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 17 February 2018, 16:36 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Sébastien Luttringer (seblu)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No



The package patch is vulnerable to multiple issues including arbitrary code execution and denial of service via CVE-2018-6952 and CVE-2018-6951.


Cherry pick the given patches

This task depends upon

Comment by Sébastien Luttringer (seblu) - Sunday, 18 February 2018, 22:31 GMT
I didn't find a patch for CVE-2018-6952. Will wait for both patch before push.
Comment by Sébastien Luttringer (seblu) - Thursday, 08 March 2018, 11:48 GMT
I'm correct if I says there is still no fix taken by upstream for CVE-2018-6952?
Comment by Morten Linderud (Foxboron) - Friday, 18 May 2018, 20:44 GMT
Sorry for the delay.
Seems like CVE-2018-6952 hasn't had a fix pushed so far. However CVE-2018-1000156 is now a thing and has multiple related commits in the tree. I think all commits from 04-06-2018 and onwards are related, but unsure.