[v3.1] patch: directory traversal flaw (CVE-2015-1196)
GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.
References:
http://seclists.org/oss-sec/2015/q1/173
CONFIRM:
http://git.savannah.gnu.org/cgit/patch.git/commit/?id=4e9269a5fc1fe80a1095a92593dd85db871e1fd3
CONFIRM: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1182154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
(from redmine: issue id 3858, created on 2015-02-02, closed on 2015-02-04)
- Relations:
- parent #3854 (closed)
- Changesets:
- Revision 6b73a079 by Natanael Copa on 2015-02-02T11:42:36Z:
main/patch: security fix for CVE-2015-119
ref #3854
fixes #3858
(cherry picked from commit 5ac69ea49d71a514ca0d499827d11c4b5bb05d93)