Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#57526 - [patch] [Security] multiple issues (CVE-2018-6952 CVE-2018-6951)

Attached to Project: Arch Linux
Opened by Morten Linderud (Foxboron) - Thursday, 15 February 2018, 23:37 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 17 February 2018, 16:36 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Sébastien Luttringer (seblu)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Summary
=======

The package patch is vulnerable to multiple issues including arbitrary code execution and denial of service via CVE-2018-6952 and CVE-2018-6951.

Guidance
========

Cherry pick the given patches

References
==========

https://security.archlinux.org/AVG-619
https://savannah.gnu.org/bugs/index.php?53133
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=f290f48a621867084884bfff87f8093c15195e6a
https://savannah.gnu.org/bugs/index.php?53132
This task depends upon

Comment by Sébastien Luttringer (seblu) - Sunday, 18 February 2018, 22:31 GMT
I didn't find a patch for CVE-2018-6952. Will wait for both patch before push.
Comment by Sébastien Luttringer (seblu) - Thursday, 08 March 2018, 11:48 GMT
I'm correct if I says there is still no fix taken by upstream for CVE-2018-6952?
Comment by Morten Linderud (Foxboron) - Friday, 18 May 2018, 20:44 GMT
Sorry for the delay.
Seems like CVE-2018-6952 hasn't had a fix pushed so far. However CVE-2018-1000156 is now a thing and has multiple related commits in the tree. I think all commits from 04-06-2018 and onwards are related, but unsure.

Loading...