"patch calls ed. Ed calls sh. Arbitrary command execution through unreviewed patches." https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667 … <-- Somebody needs to submit a bug against GNU patch if it does that.
-
-
I'll make a minimal reproducer and writeup a bug report later if noone else does it faster
-
someone else reported it already, I attached a poc https://savannah.gnu.org/bugs/index.php?53566 …
-
That was me. Thanks :) I'll attach the patch I was working on, but I doubt it'll be merged. (It makes GNU Patch refuse to handle ed scripts by default, warning that they are "potentially dangerous").
-
Patch attached, let's see what happens :)
-
As expected, my patch wasn't accepted. But an alternative patch has been merged and it has been assigned CVE-2018-1000156.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.