This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--aIPVt5KwnuXPSU9DxukPrcSJm0PAUftTx
Content-Type: multipart/mixed; boundary="6k9SGwsfR1kxTKmtpPdtVLkspjOk7o8br"
From: Aaron Bauman
To: gentoo-announce@lists.gentoo.org
Message-ID:
Subject: [ GLSA 201612-12 ] Patch: Denial of Service
--6k9SGwsfR1kxTKmtpPdtVLkspjOk7o8br
Content-Type: multipart/alternative;
boundary="------------4FF5646CB3750433854C3DEB"
This is a multi-part message in MIME format.
--------------4FF5646CB3750433854C3DEB
Content-Type: text/plain; charset=utf-
Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201612-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Patch: Denial of Service
Date: December 05, 2016
Bugs: #538658
ID: 201612-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Patch is vulnerable to a locally generated Denial of Service condition.
Background
==========
Patch takes a patch file containing a difference listing produced by
the diff program and applies those differences to one or more original
files, producing patched versions.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-devel/patch < 2.7.4 >= 2.7.4
Description
===========
Due to a flaw in Patch, the application can enter an infinite loop when
processing a specially crafted diff file.
Impact
======
A local attacker could pass a specially crafted diff file to Patch,
possibly resulting in a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All patch users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-devel/patch-2.7.4"
References
==========
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201612-12
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--------------4FF5646CB3750433854C3DEB
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - =
- - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201612-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/=
a>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Patch: Denial of Service
Date: December 05, 2016
Bugs: #538658
ID: 201612-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D
Patch is vulnerable to a locally generated Denial of Service condition.
Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Patch takes a patch file containing a difference listing produced by
the diff program and applies those differences to one or more original
files, producing patched versions.
Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-devel/patch < 2.7.4 >=3D 2=
=2E7.4=20
Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Due to a flaw in Patch, the application can enter an infinite loop when
processing a specially crafted diff file.
Impact
=3D=3D=3D=3D=3D=3D
A local attacker could pass a specially crafted diff file to Patch,
possibly resulting in a Denial of Service condition.
Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
There is no known workaround at this time.
Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
All patch users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=3Dsys-devel/patch-2.7.4"
References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201612-12
Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https=
://bugs.gentoo.org.
License
=3D=3D=3D=3D=3D=3D=3D
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--------------4FF5646CB3750433854C3DEB--
--6k9SGwsfR1kxTKmtpPdtVLkspjOk7o8br--
--aIPVt5KwnuXPSU9DxukPrcSJm0PAUftTx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJYRMATXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1OTcyRDI4NDhFOEE0NDYwRTdERTY4QUM5
RjI4QkQ4QkQxRTM5NUZGAAoJEJ8ovYvR45X/0GkP/1Aa/giWrvp+Wmzi8rvu2jKK
t0nr5yyQEg7I+M4QFMZ76E1Ro0cPCo5j+Qq+kCxe/rVT//HMedx3ED1PDbBd6UC4
3P3W5JhHKKWX+fqJGAK7K4zxMSApTbfp4GE2R9Ctn4avT0m+La1soc40hITe1fhu
GEDOKipbyi033MUYKa12Ad0+b8clcln00E2fgd1gjmKVbtx0RVvS9oySrZdRzfiw
KeLAeeph20TFJQrsKe+ee1TKmLPbskNO+ypDFHTwhhhc+bZ5pOT231PFkDwVBJlg
umY1Oxs1p2WZxyxtoqc6+hJ7vyijab4ijOc9paL2id+snYFw2pOrsmmCHuR+tL+m
BrTpbhjr35WriBC43a8S5uccRtQytDNIyJkyJuvcDJ9LzTGAvmiaFsLdDb5tDJK8
oJ3sb3Gvsjg87Q30oNG3Duf/JIAPb39fnXmmG+0IsOg3nF+w77CP7X2wruP3FwaL
upSWnpA3PtYK/BVQP4MGjgZh2RfoEs0kZYv68/9MroMuhBR88xMKrQ+iFZmfVneo
YhqxHZtMTSorjZlTx9b/XBwSyww6hv0VgXTlypndYh5wV88JPY5rY9XGvwWTPjVA
HkODeLAtTHAXJbRJ/pyMupK7vL66IWLdUwVhvYoq7WQ8FPpqaEiUPoQ9ddEBBPoy
ny/RcWATvtO5wAMAX7Iq
=4Rzz
-----END PGP SIGNATURE-----
--aIPVt5KwnuXPSU9DxukPrcSJm0PAUftTx--
|