Gentoo alert 201612-12 (patch)
| From: | Aaron Bauman <bman@gentoo.org> | |
| To: | gentoo-announce@lists.gentoo.org | |
| Subject: | [gentoo-announce] [ GLSA 201612-12 ] Patch: Denial of Service | |
| Date: | Mon, 5 Dec 2016 10:17:06 +0900 | |
| Message-ID: | <e1bc08cb-2d1e-2c1d-fce5-fee47cff437a@gentoo.org> |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201612-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Patch: Denial of Service Date: December 05, 2016 Bugs: #538658 ID: 201612-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Patch is vulnerable to a locally generated Denial of Service condition. Background ========== Patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-devel/patch < 2.7.4 >= 2.7.4 Description =========== Due to a flaw in Patch, the application can enter an infinite loop when processing a specially crafted diff file. Impact ====== A local attacker could pass a specially crafted diff file to Patch, possibly resulting in a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All patch users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/patch-2.7.4" References ========== Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-12 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5