patch-2.7.1-10.el7

エラータID: AXSA:2018-2972:01

Release date: 
Tuesday, April 24, 2018 - 00:47
Subject: 
patch-2.7.1-10.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file).

Patch should be installed because it is a common way of upgrading applications.

Security Fix(es):

* patch: Malicious patch files cause ed to execute arbitrary commands (CVE-2018-1000156)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-1000156
GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. patch-2.7.1-10.el7.src.rpm
    MD5: 29e5bc8e26cb15c01d8bf1be0d3e2df3
    SHA-256: 9ca121be3cb4265bbfeaa96cea144299b48c85f4eefbca1e81c3eab56d561802
    Size: 683.17 kB

Asianux Server 7 for x86_64
  1. patch-2.7.1-10.el7.x86_64.rpm
    MD5: 0555b7026b0e15f13a44d33d30357ea5
    SHA-256: 2eaaf38e24bd9770ed8029e915ac507434f1e76d2aa34ba93c448d2a2d21dfe4
    Size: 109.21 kB