Bug 1182154 (CVE-2015-1196) - CVE-2015-1196 patch: directory traversal via symlinks
Summary: CVE-2015-1196 patch: directory traversal via symlinks
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-1196
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1182157
Blocks: 1182159
TreeView+ depends on / blocked
 
Reported: 2015-01-14 14:23 UTC by Martin Prpič
Modified: 2021-02-17 05:48 UTC (History)
5 users (show)

Fixed In Version: patch 2.7.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-31 04:42:13 UTC
Embargoed:


Attachments (Terms of Use)
Upstream fix (5.50 KB, patch)
2015-01-20 11:12 UTC, Andreas Gruenbacher
no flags Details | Diff

Description Martin Prpič 2015-01-14 14:23:43 UTC
It was reported [1] that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch. A reproducer for this issue is available in [1].

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227

Comment 1 Martin Prpič 2015-01-14 14:26:30 UTC
Created patch tracking bugs for this issue:

Affects: fedora-all [bug 1182157]

Comment 2 Martin Prpič 2015-01-14 14:31:30 UTC
CVE request: http://seclists.org/oss-sec/2015/q1/131

Comment 4 Andreas Gruenbacher 2015-01-20 11:12:40 UTC
Created attachment 981802 [details]
Upstream fix

Not sure how the upstream fix applies to the shipped versions. Can anyone help me get this into the packages, and get security updates out?

Comment 5 Andreas Gruenbacher 2015-01-20 12:09:08 UTC
Note that upstream has other critical bug fixes as well.

Comment 6 Tim Waugh 2015-01-20 14:46:12 UTC
Here's one of the fixes that looks most security-critical, other than CVE-2015-1196:

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=44a987e02f04b9d81a0db4a611145cad1093a2d3

Comment 8 Martin Prpič 2015-01-21 07:23:39 UTC
I requested CVEs for the other issues and will file separate bugs once they are assigned:

http://seclists.org/oss-sec/2015/q1/189

Comment 9 Andreas Gruenbacher 2015-01-21 08:48:00 UTC
Comment 8: Oh well, bureaucracy.

Just be warned that another directory traversal bug has just been reported upstream which will also need a separate CVE:
http://savannah.gnu.org/bugs/?44059>

Comment 10 Martin Prpič 2015-01-21 15:21:45 UTC
Also note that the fix attached in comment#4 seems to be incomplete:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775901

Comment 14 Andreas Gruenbacher 2015-02-02 13:40:57 UTC
Upstream patch-2.7.4 should have this properly fixed now.

Comment 15 Vincent Danen 2015-07-31 04:42:13 UTC
This is really only problematic if you're a) running patch on patch files you've not inspected first or b) are running patch as root.  In either case, you shouldn't be patching things as root unless they're trusted and possibly it's worth inspecting patch files first.

Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 16 Vincent Danen 2015-07-31 04:47:40 UTC
Also note that there was an incomplete fix to this that resulted in another CVE (CVE-2015-1396):

https://bugzilla.redhat.com/show_bug.cgi?id=1186764

Given we have not fixed this, we're not vulnerable to the second incomplete-fix CVE either (noting for posterity if this is addressed in the future, to ensure that a complete fix is applied).


Note You need to log in before you can comment on or make changes to this bug.