patch: directory traversal flaw (CVE-2015-1196)
GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.
References:
http://seclists.org/oss-sec/2015/q1/173
CONFIRM:
http://git.savannah.gnu.org/cgit/patch.git/commit/?id=4e9269a5fc1fe80a1095a92593dd85db871e1fd3
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1182154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
(from redmine: issue id 3854, created on 2015-02-02, closed on 2015-02-04)
- Relations:
- relates #3888 (closed)
- child #3855 (closed)
- child #3856 (closed)
- child #3857 (closed)
- child #3858 (closed)
- Changesets:
- Revision 5ac69ea4 by Natanael Copa on 2015-02-02T11:41:18Z:
main/patch: security fix for CVE-2015-119
ref #3854
- Revision 6b73a079 by Natanael Copa on 2015-02-02T11:42:36Z:
main/patch: security fix for CVE-2015-119
ref #3854
fixes #3858
(cherry picked from commit 5ac69ea49d71a514ca0d499827d11c4b5bb05d93)
- Revision cc95eb24 by Natanael Copa on 2015-02-02T11:44:22Z:
main/patch: security fix for CVE-2015-119
ref #3854
fixes #3857
(cherry picked from commit 5ac69ea49d71a514ca0d499827d11c4b5bb05d93)
- Revision 566f7571 by Natanael Copa on 2015-02-02T11:45:04Z:
main/patch: security fix for CVE-2015-119
ref #3854
fixes #3856
(cherry picked from commit 5ac69ea49d71a514ca0d499827d11c4b5bb05d93)
- Revision f6d4fc93 by Natanael Copa on 2015-02-02T11:45:36Z:
main/patch: security fix for CVE-2015-119
ref #3854
fixes #3855
(cherry picked from commit 5ac69ea49d71a514ca0d499827d11c4b5bb05d93)