GNU patch through 2.7.6 is vulnerable to OS shell command injection that
can be exploited by opening a crafted patch file that contains an ed style
diff payload with shell metacharacters. The ed editor does not need to be
present on the vulnerable system. This is different from CVE-2018-1000156.
https://nvd.nist.gov/vuln/detail/CVE-2019-13638
Signed-off-by: Russell Senior <russell@personaltelco.net>
(cherry picked from commit bcfd1d76852974170780dbe368e6194dbb0e123e)
In GNU patch through 2.7.6, the following of symlinks is mishandled in
certain cases other than input files. This affects inp.c and util.c.
https://nvd.nist.gov/vuln/detail/CVE-2019-13636
Signed-off-by: Russell Senior <russell@personaltelco.net>
(cherry picked from commit 995bcc532943639f3df36dbcaa361f9167f9f4d5)
uscan reports a new CVE now that PKG_CPE_ID was added.
Reordered patches by date.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[re-title commit & refresh patches]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(backported from a6bd9d0cb652686453604b762e80a35d023908c4)
A new test case was adding in one of the patches fixing a problem, this
also included a change in the test/Makefile.am to add this test case.
The build system detected a change in the Makefile.am and wants to
regenerate the Makefile.in, but this fails because automake-1.15 is not
installed yet. As automake depends on patch being build first, make sure
we do not modify the Makefile.am.
This fixes build problem seen by the build bots.
Fixes: 4797dddfde6 ("patch: apply upstream cve fixes")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(backported from 759f111f8d7f2d9f5f12713fc6f48ce6422997ec)
Apply two upstream patches to address two CVEs:
* CVE-2018-1000156
* CVE-2018-6952
Add PKG_CPE_ID to Makefile.
Build tested on apm821xx and ar71xx.
Signed-off-by: Russell Senior <russell@personaltelco.net>
(backported from 4797dddfde6a8ffdbdcb4e5b5e137b0a00313f62)
(rebased patches)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
