Patch: Multiple vulnerabilities — GLSA 201908-22

Multiple vulnerabilities have been found in Patch, the worst of which could result in the arbitrary execution of code.

Affected packages

sys-devel/patch on all architectures
Affected versions < 2.7.6-r4
Unaffected versions >= 2.7.6-r4

Background

Patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions.

Description

Multiple vulnerabilities have been discovered in Patch. Please review the CVE identifiers referenced below for details.

Impact

A local attacker could pass a specially crafted diff file to Patch, possibly resulting in a Denial of Service condition or arbitrary code execution.

Workaround

There is no known workaround at this time.

Resolution

All Patch users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-devel/patch-2.7.6-r4"
 

References

Release date
August 18, 2019

Latest revision
August 18, 2019: 1

Severity
normal

Exploitable
local

Bugzilla entries