Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536614 (CVE-2015-1196) - <sys-devel/patch-2.7.3: directory traversal via symlinks (CVE-2015-1196)
Summary: <sys-devel/patch-2.7.3: directory traversal via symlinks (CVE-2015-1196)
Status: RESOLVED FIXED
Alias: CVE-2015-1196
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks: 537594 537596
  Show dependency tree
 
Reported: 2015-01-14 16:38 UTC by Agostino Sarubbo
Modified: 2015-03-17 03:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-14 16:38:19 UTC 
From ${URL} :

It was reported [1] that the versions of the patch utility that support Git-style patches are 
vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files 
by applying a specially crafted patch, with the privileges of the user running patch. A reproducer 
for this issue is available in [1].

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-21 07:35:43 UTC 
+*patch-2.7.2 (21 Jan 2015)
+
+  21 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -patch-2.5.9.ebuild,
+  -patch-2.5.9-r1.ebuild, -patch-2.7.1-r2.ebuild, +patch-2.7.2.ebuild,
+  -files/patch-2.5.9-cr-stripping.patch,
+  -files/patch-2.7.1-Fix-removing-empty-directories-automake.patch:
+  Security bump (bug #536614). Removed old.
+

As this is a crucial package for us I'd like to have it sit in testing (~arch) for a couple of days before we start stabilization process.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-23 19:06:20 UTC 
+*patch-2.7.2-r1 (23 Jan 2015)
+
+  23 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> +patch-2.7.2-r1.ebuild,
+  +files/patch-2.7.2-fix_for_CVE-2015-1196_fix.patch,
+  +files/patch-2.7.2-valid_filenames_on_renames_and_copies.patch:
+  Revbump to add two upstream fixes.
+

=sys-devel/2.7.2-r1 will be the stable candidate regarding this security bug.
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-23 19:39:25 UTC 
+*patch-2.7.3 (23 Jan 2015)
+
+  23 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -patch-2.7.2-r1.ebuild,
+  +patch-2.7.3.ebuild:
+  Rather use latest release than patch the previous one (d'oh!)
+

=sys-devel/2.7.3 will be the stable candidate regarding this security bug.
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-23 19:39:51 UTC 
I mean =sys-devel/patch-2.7.3
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-23 22:50:21 UTC 
CVE-2015-1196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1196):
  GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a
  symlink attack in a patch file.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-01-23 22:52:03 UTC 
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 7 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-01-27 12:24:18 UTC 
Arches please test and mark stable =sys-devel/patch-2.7.3 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-27 19:53:41 UTC 
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2015-01-28 13:34:14 UTC 
amd64 stable
Comment 10 Toralf Förster gentoo-dev 2015-01-28 15:22:06 UTC 
There's a complaint about this version here : https://lkml.org/lkml/2015/1/26/522
Comment 11 Agostino Sarubbo gentoo-dev 2015-01-31 10:33:10 UTC 
ppc stable
Comment 12 Markus Meier gentoo-dev 2015-02-01 21:05:03 UTC 
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-02-15 15:08:24 UTC 
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-02-16 10:22:34 UTC 
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-02-18 08:51:56 UTC 
ppc64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2015-02-23 11:37:43 UTC 
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2015-02-24 10:59:14 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 18 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-02-24 13:32:06 UTC 
GLSA vote: no.
Comment 19 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-24 13:33:43 UTC 
GLSA Vote: No
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2015-03-16 13:51:47 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-03-17 03:48:21 UTC 
Maintainer(s), Thank you for you for cleanup as part of Bug 537596