Bug#895936: stretch-pu: package patch/2.7.5-1+deb9u1
Control: tags -1 + confirmed
On Tue, 2018-04-17 at 17:45 +0200, Laszlo Boszormenyi (GCS) wrote:
> I'd like to fix CVE-2018-1000156 in patch for Stretch, which is an
> arbitrary command execution in ed-style patches.
> While it might be used for remote compromise, it would need a setup
> to
> accept patches unconditionally. But then an attacker has an easy path
> already to insert vulnerable code to source files or JavaScript
> injection to HTML pages, etc. Hence it doesn't warrant a DSA on its
> own, but would be good to fix in a point release.
>
Please go ahead.
Regards,
Adam
Reply to: