aboutsummaryrefslogtreecommitdiff
path: root/package/patch
diff options
context:
space:
mode:
authorGravatar Fabrice Fontaine <fontaine.fabrice@gmail.com>2020-03-03 20:47:03 +0100
committerGravatar Thomas Petazzoni <thomas.petazzoni@bootlin.com>2020-03-03 22:39:09 +0100
commit77d2c77d2946e0c92df3ef73df851ebd1b5b8b27 (patch)
tree23e0705987c81f3b6bba92170eb1dec48579f94f /package/patch
parentad9c33935b2f765d020932d8268d2a46c6c130f1 (diff)
downloadbuildroot-77d2c77d2946e0c92df3ef73df851ebd1b5b8b27.tar.gz
buildroot-77d2c77d2946e0c92df3ef73df851ebd1b5b8b27.tar.bz2
package/patch: annotate CVE-2019-13638
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Diffstat (limited to 'package/patch')
-rw-r--r--package/patch/patch.mk2
1 files changed, 1 insertions, 1 deletions
diff --git a/package/patch/patch.mk b/package/patch/patch.mk
index ae9b838a62..b7f5bac05a 100644
--- a/package/patch/patch.mk
+++ b/package/patch/patch.mk
@@ -17,7 +17,7 @@ PATCH_IGNORE_CVES += CVE-2018-6951
PATCH_IGNORE_CVES += CVE-2018-1000156
# 0004-Invoke-ed-directly-instead-of-using-the-shell.patch
-PATCH_IGNORE_CVES += CVE-2018-20969
+PATCH_IGNORE_CVES += CVE-2018-20969 CVE-2019-13638
# 0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
PATCH_IGNORE_CVES += CVE-2019-13636