From: Mark H Weaver <mhw@netris.org>
To: 47144@debbugs.gnu.org
Subject: bug#47144: security patching of 'patch' package
Date: Sun, 14 Mar 2021 17:37:25 -0400 [thread overview]
Message-ID: <877dm9s9fz.fsf@netris.org> (raw)
In-Reply-To: 6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net
[-- Attachment #1: Type: text/plain, Size: 315 bytes --]
I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark
-------------------- Start of forwarded message --------------------
Subject: security patching of 'patch' package
From: Léo Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Wed, 10 Mar 2021 04:14:35 +0100
[-- Attachment #2.1: Type: text/plain, Size: 614 bytes --]
Hello!
I could find that the 'patch' package was vulnerable to numerous CVEs
that other distros like Debian have patched. Here's the list reported
by 'guix lint -c cve patch':
patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638,
CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE-
2018-6952
Can I use latest commit from master to build 'patch' then graft
original package?
i.e. https://git.savannah.gnu.org/git/patch.git
There's not that many commits since last release, but lots of time:
https://git.savannah.gnu.org/cgit/patch.git/log/
Thank you,
Léo
[-- Attachment #2.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #3: Type: text/plain, Size: 67 bytes --]
-------------------- End of forwarded message --------------------
next parent reply other threads:[~2021-03-14 21:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <6d01d537754ce50b10035903d8e7d205699c4b39.camel@zaclys.net>
2021-03-14 21:37 ` Mark H Weaver [this message]
2021-03-15 18:26 ` bug#47144: [PATCH 0/1] gnu: patch: Update to 2.7.6-7623b2d [security fixes] Léo Le Bouter via Bug reports for GNU Guix
2021-03-15 18:26 ` bug#47144: [PATCH 1/1] " Léo Le Bouter via Bug reports for GNU Guix
2021-03-18 21:58 ` Ludovic Courtès
2022-03-23 3:03 ` bug#47144: security patching of 'patch' package Maxim Cournoyer
2021-04-14 21:54 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877dm9s9fz.fsf@netris.org \
--to=mhw@netris.org \
--cc=47144@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).