[Buildroot] [PATCH] patch: add upstream security fix

Thomas Petazzoni thomas.petazzoni at bootlin.com
Mon Apr 9 18:59:17 UTC 2018


Hello,

On Mon,  9 Apr 2018 19:20:36 +0300, Baruch Siach wrote:
> Fixes CVE-2018-1000156: arbitrary command execution in ed-style patches.
> 
> Depend on MMU for now, because the patch adds a fork() call. Upstream
> later switched to gnulib provided execute(), so this dependency can be
> dropped on the next version bump.
> 
> Signed-off-by: Baruch Siach <baruch at tkos.co.il>
> ---
>  ...-files-to-be-missing-for-ed-style-patches.patch |  37 +++++
>  ...ry-command-execution-in-ed-style-patches-.patch | 157 +++++++++++++++++++++
>  package/patch/Config.in                            |   2 +
>  3 files changed, 196 insertions(+)
>  create mode 100644 package/patch/0002-Allow-input-files-to-be-missing-for-ed-style-patches.patch
>  create mode 100644 package/patch/0003-Fix-arbitrary-command-execution-in-ed-style-patches-.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com


More information about the buildroot mailing list