[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1000156/patch specifically assigned for GNU patch

Fri Apr 6 06:10:29 BST 2018

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f3ed278c by Salvatore Bonaccorso at 2018-04-06T07:07:54+02:00
CVE-2018-1000156/patch specifically assigned for GNU patch

Queried MITRE which informed they can either update the desciption to
match GNU patch. OTOH, DWF project has already assigned CVE-2018-1000156
for specifically GNU patch with the reason that as both have though same
root, the code has substantially diverged over time by now, thus the
seprate CVE id.

Follow that decision by marking CVE-2015-1418 NFU (specifically for
patch in FreeBSD) and add CVE-2018-1000156 entry for patch.

Updated https://bugs.debian.org/894993 accordingly.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -128158,11 +128158,14 @@ CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remo
 	NOTE: http://seclists.org/oss-sec/2015/q1/389
 	NOTE: Not a real security feature according the manpage and upstream
 CVE-2015-1418 (patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before ...)
+	NOT-FOR-US: patch as used in FreeBSD specifically
+CVE-2018-1000156 [input validation vulnerability when processing patch files]
 	- patch <unfixed> (bug #894993)
 	NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/
-	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc
-	NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig
-	TODO: The CVE is actually specifically for "bsdpatch", asked MITRE for clarification on scope (i.e. if we should get a new CVE for src:patch)
+	NOTE: https://twitter.com/kurtseifried/status/982028968877436928
+	NOTE: This CVE is specifically for GNU patch and relates to CVE-2015-1418
+	NOTE: Respective patch in FreeBSD: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc
+	NOTE: Respective patch in OpenBSD: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig
 CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, ...)
 	- kfreebsd-10 10.2-1 (unimportant)
 	NOTE: kfreebsd not covered by security support in Jessie



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3ed278cd5aa2a49a1d686d495c03e3f8d91d51f

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3ed278cd5aa2a49a1d686d495c03e3f8d91d51f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180406/13384cef/attachment-0001.html>
