Bug#895936: stretch-pu: package patch/2.7.5-1+deb9u1

To: "Laszlo Boszormenyi (GCS)" <gcs@debian.org>, 895936@bugs.debian.org
Subject: Bug#895936: stretch-pu: package patch/2.7.5-1+deb9u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Tue, 12 Jun 2018 21:17:53 +0100
Message-id: <[🔎] 1528834672.2806.42.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 895936@bugs.debian.org
In-reply-to: <4e280bd72dccb0bd40110b2edab9e73c4d50f190.camel@debian.org>
References: <4e280bd72dccb0bd40110b2edab9e73c4d50f190.camel@debian.org> <4e280bd72dccb0bd40110b2edab9e73c4d50f190.camel@debian.org>

Control: tags -1 + confirmed

On Tue, 2018-04-17 at 17:45 +0200, Laszlo Boszormenyi (GCS) wrote:
> I'd like to fix CVE-2018-1000156 in patch for Stretch, which is an
> arbitrary command execution in ed-style patches.
> While it might be used for remote compromise, it would need a setup
> to
> accept patches unconditionally. But then an attacker has an easy path
> already to insert vulnerable code to source files or JavaScript
> injection to HTML pages, etc. Hence it doesn't warrant a DSA on its
> own, but would be good to fix in a point release.
> 

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Processed: tagging 888019
Next by Date: Processed: Re: Bug#895936: stretch-pu: package patch/2.7.5-1+deb9u1
Previous by thread: Processed: tagging 888019
Next by thread: Processed: Re: Bug#895936: stretch-pu: package patch/2.7.5-1+deb9u1
Index(es):
- Date
- Thread