[Buildroot] [PATCH] package/patch: add patches for CVE-2018-6952 & CVE-2019-20633

* [Buildroot] [PATCH] package/patch: add patches for CVE-2018-6952 & CVE-2019-20633
@ 2026-02-25 20:28 Thomas Perale via buildroot
  2026-02-25 21:15 ` Julien Olivain via buildroot
  2026-03-06 19:53 ` Thomas Perale via buildroot
  0 siblings, 2 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-02-25 20:28 UTC (permalink / raw)
  To: buildroot

Fixes the following vulnerabilities:

- CVE-2018-6952:
    A double free exists in the another_hunk function in pch.c in GNU
    patch through 2.7.6.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2018-6952
  - https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300

- CVE-2019-20633:
    GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free
    vulnerability in the function another_hunk in pch.c that can cause a
    denial of service via a crafted patch file. NOTE: this issue exists
    because of an incomplete fix for CVE-2018-6952.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2019-20633
  - https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...-Fix-swapping-fake-lines-in-pch-swap.patch | 33 +++++++++++++++++++
 ...emory-access-in-context-format-diffs.patch | 30 +++++++++++++++++
 package/patch/patch.mk                        |  6 ++++
 3 files changed, 69 insertions(+)
 create mode 100644 package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch
 create mode 100644 package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch

diff --git a/package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch b/package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch
new file mode 100644
index 0000000000..6fd63dff53
--- /dev/null
+++ b/package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch
@@ -0,0 +1,33 @@
+From 9c986353e420ead6e706262bf204d6e03322c300 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 17 Aug 2018 13:35:40 +0200
+Subject: Fix swapping fake lines in pch_swap
+
+* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
+blank line in the middle of a context-diff hunk: that empty line stays
+in the middle of the hunk and isn't swapped.
+
+Fixes: https://savannah.gnu.org/bugs/index.php?53133
+CVE: CVE-2018-6952
+Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/pch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index e92bc64..a500ad9 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2115,7 +2115,7 @@ pch_swap (void)
+     }
+     if (p_efake >= 0) {			/* fix non-freeable ptr range */
+ 	if (p_efake <= i)
+-	    n = p_end - i + 1;
++	    n = p_end - p_ptrn_lines;
+ 	else
+ 	    n = -i;
+ 	p_efake += n;
+-- 
+cgit v1.2.3
+
diff --git a/package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch b/package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch
new file mode 100644
index 0000000000..5ffe3699ef
--- /dev/null
+++ b/package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch
@@ -0,0 +1,30 @@
+From 15b158db3ae11cb835f2eb8d2eb48e09d1a4af48 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 19:10:02 +0200
+Subject: Avoid invalid memory access in context format diffs
+
+* src/pch.c (another_hunk): Avoid invalid memory access in context format
+diffs.
+
+CVE: CVE-2019-20633
+Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/pch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pch.c b/src/pch.c
+index a500ad9..cb54e03 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1327,6 +1327,7 @@ another_hunk (enum diff difftype, bool rev)
+ 		  ptrn_prefix_context = context;
+ 		ptrn_suffix_context = context;
+ 		if (repl_beginning
++		    || p_end <= 0
+ 		    || (p_end
+ 			!= p_ptrn_lines + 1 + (p_Char[p_end - 1] == '\n')))
+ 		  {
+-- 
+cgit v1.2.3
+
diff --git a/package/patch/patch.mk b/package/patch/patch.mk
index 6f83d2418c..9272449159 100644
--- a/package/patch/patch.mk
+++ b/package/patch/patch.mk
@@ -23,6 +23,12 @@ PATCH_IGNORE_CVES += CVE-2018-20969 CVE-2019-13638
 # 0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
 PATCH_IGNORE_CVES += CVE-2019-13636
 
+# 0006-Fix-swapping-fake-lines-in-pch-swap.patch
+PATCH_IGNORE_CVES += CVE-2018-6952
+
+# 0007-Avoid-invalid-memory-access-in-context-format-diffs.patch
+PATCH_IGNORE_CVES += CVE-2019-20633
+
 ifeq ($(BR2_PACKAGE_ATTR),y)
 PATCH_CONF_OPTS += --enable-xattr
 PATCH_DEPENDENCIES += attr
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread