- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201612-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Patch: Denial of Service Date: December 05, 2016 Bugs: #538658 ID: 201612-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Patch is vulnerable to a locally generated Denial of Service condition. Background ========== Patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-devel/patch < 2.7.4 >= 2.7.4 Description =========== Due to a flaw in Patch, the application can enter an infinite loop when processing a specially crafted diff file. Impact ====== A local attacker could pass a specially crafted diff file to Patch, possibly resulting in a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All patch users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-devel/patch-2.7.4" References ========== Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-12 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5