It was reported [1] that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch. A reproducer for this issue is available in [1]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227
Created patch tracking bugs for this issue: Affects: fedora-all [bug 1182157]
CVE request: http://seclists.org/oss-sec/2015/q1/131
Created attachment 981802 [details] Upstream fix Not sure how the upstream fix applies to the shipped versions. Can anyone help me get this into the packages, and get security updates out?
Note that upstream has other critical bug fixes as well.
Here's one of the fixes that looks most security-critical, other than CVE-2015-1196: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=44a987e02f04b9d81a0db4a611145cad1093a2d3
I requested CVEs for the other issues and will file separate bugs once they are assigned: http://seclists.org/oss-sec/2015/q1/189
Comment 8: Oh well, bureaucracy. Just be warned that another directory traversal bug has just been reported upstream which will also need a separate CVE: http://savannah.gnu.org/bugs/?44059>
Also note that the fix attached in comment#4 seems to be incomplete: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775901
Upstream patch-2.7.4 should have this properly fixed now.
This is really only problematic if you're a) running patch on patch files you've not inspected first or b) are running patch as root. In either case, you shouldn't be patching things as root unless they're trusted and possibly it's worth inspecting patch files first. Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Also note that there was an incomplete fix to this that resulted in another CVE (CVE-2015-1396): https://bugzilla.redhat.com/show_bug.cgi?id=1186764 Given we have not fixed this, we're not vulnerable to the second incomplete-fix CVE either (noting for posterity if this is addressed in the future, to ensure that a complete fix is applied).