Created patch tracking bugs for this issue:

Affects: fedora-all [bug 1182157]

CVE request: http://seclists.org/oss-sec/2015/q1/131

Created attachment 981802 [details]
Upstream fix

Not sure how the upstream fix applies to the shipped versions. Can anyone help me get this into the packages, and get security updates out?

Note that upstream has other critical bug fixes as well.

Here's one of the fixes that looks most security-critical, other than CVE-2015-1196:

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=44a987e02f04b9d81a0db4a611145cad1093a2d3

I requested CVEs for the other issues and will file separate bugs once they are assigned:

http://seclists.org/oss-sec/2015/q1/189

Comment 8: Oh well, bureaucracy.

Just be warned that another directory traversal bug has just been reported upstream which will also need a separate CVE:
http://savannah.gnu.org/bugs/?44059>

Also note that the fix attached in comment#4 seems to be incomplete:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775901

Upstream patch-2.7.4 should have this properly fixed now.

This is really only problematic if you're a) running patch on patch files you've not inspected first or b) are running patch as root.  In either case, you shouldn't be patching things as root unless they're trusted and possibly it's worth inspecting patch files first.

Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Also note that there was an incomplete fix to this that resulted in another CVE (CVE-2015-1396):

https://bugzilla.redhat.com/show_bug.cgi?id=1186764

Given we have not fixed this, we're not vulnerable to the second incomplete-fix CVE either (noting for posterity if this is addressed in the future, to ensure that a complete fix is applied).