bug-patch
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Can we have a new release of GNU patch?


From: Eli Schwartz
Subject: Can we have a new release of GNU patch?
Date: Mon, 20 May 2024 16:14:27 -0400
User-agent: Mozilla Thunderbird

GNU patch version 2.7.6 was released in 2018, six years ago. Since then,
a bunch of fixes have been made.

Gentoo currently backports 12 commits from patch's master branch,
including a bunch of CVE fixes. Even this isn't enough to fix for
example https://bugs.gentoo.org/898598 which simply requires a new dist
tarball with updated gnulib.

(Unfortunately, updating gnulib is sufficiently complex I'm afraid to
touch it, and it is definitely going to be a problem to do it fully
offline as needed for distro packaging, especially for a oneshot event.)

gnulib was updated in response to the email thread:

"Build failure caused by out of date gnulib"

So it sounds like other people would appreciate a new release as well.


In particular I think it's important that CVE fixes be available in a
new dist tarball, to avoid the issue that not everyone will realize they
need to backport these fixes, and as a result, potentially end up with a
vulnerable `patch` binary.

-- 
Eli Schwartz

Attachment: OpenPGP_0x84818A6819AF4A9B.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]