From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: buildroot@buildroot.org
Subject: [Buildroot] [PATCH] package/patch: add patches for CVE-2018-6952 & CVE-2019-20633
Date: Wed, 25 Feb 2026 21:28:47 +0100 [thread overview]
Message-ID: <20260225202847.385468-1-thomas.perale@mind.be> (raw)
Fixes the following vulnerabilities:
- CVE-2018-6952:
A double free exists in the another_hunk function in pch.c in GNU
patch through 2.7.6.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2018-6952
- https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300
- CVE-2019-20633:
GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free
vulnerability in the function another_hunk in pch.c that can cause a
denial of service via a crafted patch file. NOTE: this issue exists
because of an incomplete fix for CVE-2018-6952.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2019-20633
- https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
...-Fix-swapping-fake-lines-in-pch-swap.patch | 33 +++++++++++++++++++
...emory-access-in-context-format-diffs.patch | 30 +++++++++++++++++
package/patch/patch.mk | 6 ++++
3 files changed, 69 insertions(+)
create mode 100644 package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch
create mode 100644 package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch
diff --git a/package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch b/package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch
new file mode 100644
index 0000000000..6fd63dff53
--- /dev/null
+++ b/package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch
@@ -0,0 +1,33 @@
+From 9c986353e420ead6e706262bf204d6e03322c300 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 17 Aug 2018 13:35:40 +0200
+Subject: Fix swapping fake lines in pch_swap
+
+* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
+blank line in the middle of a context-diff hunk: that empty line stays
+in the middle of the hunk and isn't swapped.
+
+Fixes: https://savannah.gnu.org/bugs/index.php?53133
+CVE: CVE-2018-6952
+Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/pch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index e92bc64..a500ad9 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2115,7 +2115,7 @@ pch_swap (void)
+ }
+ if (p_efake >= 0) { /* fix non-freeable ptr range */
+ if (p_efake <= i)
+- n = p_end - i + 1;
++ n = p_end - p_ptrn_lines;
+ else
+ n = -i;
+ p_efake += n;
+--
+cgit v1.2.3
+
diff --git a/package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch b/package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch
new file mode 100644
index 0000000000..5ffe3699ef
--- /dev/null
+++ b/package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch
@@ -0,0 +1,30 @@
+From 15b158db3ae11cb835f2eb8d2eb48e09d1a4af48 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 19:10:02 +0200
+Subject: Avoid invalid memory access in context format diffs
+
+* src/pch.c (another_hunk): Avoid invalid memory access in context format
+diffs.
+
+CVE: CVE-2019-20633
+Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/pch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pch.c b/src/pch.c
+index a500ad9..cb54e03 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1327,6 +1327,7 @@ another_hunk (enum diff difftype, bool rev)
+ ptrn_prefix_context = context;
+ ptrn_suffix_context = context;
+ if (repl_beginning
++ || p_end <= 0
+ || (p_end
+ != p_ptrn_lines + 1 + (p_Char[p_end - 1] == '\n')))
+ {
+--
+cgit v1.2.3
+
diff --git a/package/patch/patch.mk b/package/patch/patch.mk
index 6f83d2418c..9272449159 100644
--- a/package/patch/patch.mk
+++ b/package/patch/patch.mk
@@ -23,6 +23,12 @@ PATCH_IGNORE_CVES += CVE-2018-20969 CVE-2019-13638
# 0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
PATCH_IGNORE_CVES += CVE-2019-13636
+# 0006-Fix-swapping-fake-lines-in-pch-swap.patch
+PATCH_IGNORE_CVES += CVE-2018-6952
+
+# 0007-Avoid-invalid-memory-access-in-context-format-diffs.patch
+PATCH_IGNORE_CVES += CVE-2019-20633
+
ifeq ($(BR2_PACKAGE_ATTR),y)
PATCH_CONF_OPTS += --enable-xattr
PATCH_DEPENDENCIES += attr
--
2.53.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2026-02-25 20:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-25 20:28 Thomas Perale via buildroot [this message]
2026-02-25 21:15 ` [Buildroot] [PATCH] package/patch: add patches for CVE-2018-6952 & CVE-2019-20633 Julien Olivain via buildroot
2026-03-06 19:53 ` Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260225202847.385468-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox