Bug 1182154 (CVE-2015-1196)

Summary: CVE-2015-1196 patch: directory traversal via symlinks
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agruenba, bressers, carnil, john.haxby, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: patch 2.7.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-31 04:42:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1182157    
Bug Blocks: 1182159    
Attachments:
Description Flags
Upstream fix none

Description Martin Prpič 2015-01-14 14:23:43 UTC 
It was reported [1] that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch. A reproducer for this issue is available in [1].

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227
Comment 1 Martin Prpič 2015-01-14 14:26:30 UTC 
Created patch tracking bugs for this issue:

Affects: fedora-all [bug 1182157]
Comment 2 Martin Prpič 2015-01-14 14:31:30 UTC 
CVE request: http://seclists.org/oss-sec/2015/q1/131
Comment 4 Andreas Gruenbacher 2015-01-20 11:12:40 UTC 
Created attachment 981802 [details]
Upstream fix

Not sure how the upstream fix applies to the shipped versions. Can anyone help me get this into the packages, and get security updates out?
Comment 5 Andreas Gruenbacher 2015-01-20 12:09:08 UTC 
Note that upstream has other critical bug fixes as well.
Comment 6 Tim Waugh 2015-01-20 14:46:12 UTC 
Here's one of the fixes that looks most security-critical, other than CVE-2015-1196:

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=44a987e02f04b9d81a0db4a611145cad1093a2d3
Comment 8 Martin Prpič 2015-01-21 07:23:39 UTC 
I requested CVEs for the other issues and will file separate bugs once they are assigned:

http://seclists.org/oss-sec/2015/q1/189
Comment 9 Andreas Gruenbacher 2015-01-21 08:48:00 UTC 
Comment 8: Oh well, bureaucracy.

Just be warned that another directory traversal bug has just been reported upstream which will also need a separate CVE:
http://savannah.gnu.org/bugs/?44059>
Comment 10 Martin Prpič 2015-01-21 15:21:45 UTC 
Also note that the fix attached in comment#4 seems to be incomplete:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775901
Comment 14 Andreas Gruenbacher 2015-02-02 13:40:57 UTC 
Upstream patch-2.7.4 should have this properly fixed now.
Comment 15 Vincent Danen 2015-07-31 04:42:13 UTC 
This is really only problematic if you're a) running patch on patch files you've not inspected first or b) are running patch as root.  In either case, you shouldn't be patching things as root unless they're trusted and possibly it's worth inspecting patch files first.

Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 16 Vincent Danen 2015-07-31 04:47:40 UTC 
Also note that there was an incomplete fix to this that resulted in another CVE (CVE-2015-1396):

https://bugzilla.redhat.com/show_bug.cgi?id=1186764

Given we have not fixed this, we're not vulnerable to the second incomplete-fix CVE either (noting for posterity if this is addressed in the future, to ensure that a complete fix is applied).