UbuntuUpdates.org

Package "patch"

Name: patch

Description:

Apply a diff file to an original
Latest version: 2.7.1-4ubuntu2.4
Release: trusty (14.04)
Level: security
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "patch"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "patch" in Trusty

Repository Area Version
base main 2.7.1-4
updates main 2.7.1-4ubuntu2.4

Changelog

Version: 2.7.1-4ubuntu2.4 2018-04-10 18:06:41 UTC

  patch (2.7.1-4ubuntu2.4) trusty-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds access
    - debian/patches/CVE-2016-10713.patch: fix in
      src/pch.c.
    - CVE-2016-10713
  * SECURITY UPDATE: Input validation vulnerability
    - debian/patches/CVE-2018-1000156.patch: fix in
      src/pch.c adding tests in Makefile.in, tests/ed-style.
    - debian/patches/0001-Fix-ed-style-test-failure.patch:
    - CVE-2018-1000156
  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2018-6951.patch: fix in src/pch.c.
    - CVE-2018-6951

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 09 Apr 2018 11:14:01 -0300
Source diff to previous version
CVE-2016-10713 An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input

Version: 2.7.1-4ubuntu2.3 2015-06-23 01:06:14 UTC

  patch (2.7.1-4ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service via crafted patch
    - debian/patches/CVE-2014-9637.patch: Detect and exit upon memory
      allocation failures
    - CVE-2014-9637
  * SECURITY UPDATE: Directory traversal via crafted patch
    - debian/patches/CVE-2015-1196.patch: Don't allow symlink targets to point
      outside of the current directory
    - CVE-2015-1196
  * SECURITY UPDATE: Directory traversal via crafted patch
    - debian/patches/CVE-2015-1395.patch: Check the validity of both filenames
      during a rename or copy
    - CVE-2015-1395
  * SECURITY UPDATE: Directory traversal via crafted patch
    - debian/patches/CVE-2015-1396.patch: Don't allow symlink targets to point
      outside of the current directory. This patch corrects the incomplete fix
      for CVE-2015-1196.
    - CVE-2015-1396
  * debian/control: Add automake1.11 as a build-depends since some of the
    patches adjust Makefile.am files

 -- Tyler Hicks <email address hidden> Mon, 22 Jun 2015 14:33:17 -0500
CVE-2014-9637 With a specific file, patch goes to infinite loop and eats all CPU time
CVE-2015-1196 GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.
CVE-2015-1395 directory traversal via file rename
CVE-2015-1396 (another) directory traversal via symlinks -- incomplete fix for CVE-2015-1196


About   -   Send Feedback to @ubuntu_updates