projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad9c339)
package/patch: annotate CVE-2019-13638
authorFabrice Fontaine <fontaine.fabrice@gmail.com>
Tue, 3 Mar 2020 19:47:03 +0000 (20:47 +0100)
committerThomas Petazzoni <thomas.petazzoni@bootlin.com>
Tue, 3 Mar 2020 21:39:09 +0000 (22:39 +0100)
GNU patch through 2.7.6 is vulnerable to OS shell command injection that
can be exploited by opening a crafted patch file that contains an ed
style diff payload with shell metacharacters. The ed editor does not
need to be present on the vulnerable system. This is different from
CVE-2018-1000156.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
package/patch/patch.mk patch | blob | history

diff --git a/package/patch/patch.mk b/package/patch/patch.mk
index ae9b838a62b17efee363d1ec9b4477af2639b389..b7f5bac05a706d9f59e822712584d31c7405acbe 100644 (file)
--- a/package/patch/patch.mk
+++ b/package/patch/patch.mk
@@ -17,7 +17,7 @@ PATCH_IGNORE_CVES += CVE-2018-6951
 PATCH_IGNORE_CVES += CVE-2018-1000156
 
 # 0004-Invoke-ed-directly-instead-of-using-the-shell.patch
-PATCH_IGNORE_CVES += CVE-2018-20969
+PATCH_IGNORE_CVES += CVE-2018-20969 CVE-2019-13638
 
 # 0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
 PATCH_IGNORE_CVES += CVE-2019-13636