Debian Bug report logs -
#775873
patch: CVE-2015-1395: directory traversal via file rename
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Tue, 20 Jan 2015 22:51:01 UTC
Severity: grave
Tags: security
Found in versions patch/2.7.1-1, patch/2.7.1-6, patch/2.7.1-7
Fixed in version patch/2.7.3-1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://savannah.gnu.org/bugs/?44059
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Tue, 20 Jan 2015 22:51:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: patch
Version: 2.7.1-7
Tags: security
patch now support git-style patches, which allows renaming files. This
feature can be abused for directory traversal. As a proof of concept,
applying the attached patch creates a file in /tmp:
$ ls /tmp/moo
/bin/ls: cannot access /tmp/moo: No such file or directory
$ mkdir empty && cd empty
$ patch -p1 < ~/traversal2.diff
patching file moo
patching file ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo (renamed from moo)
$ ls /tmp/moo
/tmp/moo
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages patch depends on:
ii libc6 2.19-13
--
Jakub Wilk
[traversal2.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Wed, 21 Jan 2015 08:15:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Wed, 21 Jan 2015 08:15:08 GMT) (full text, mbox, link).
Message #8 received at 775873@bugs.debian.org (full text, mbox, reply):
Control: found -1 2.7.1-6
I could check that this bug is also present in 2.7.1-6. Marking as
found there (this should be useful for apt-listbugs).
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Marked as found in versions patch/2.7.1-6.
Request was from Vincent Lefevre <vincent@vinc17.net>
to 775873-submit@bugs.debian.org.
(Wed, 21 Jan 2015 08:15:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Wed, 21 Jan 2015 08:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Wed, 21 Jan 2015 08:27:04 GMT) (full text, mbox, link).
Message #15 received at 775873@bugs.debian.org (full text, mbox, reply):
Control: severity -1 grave
because one can easily attack a local user, e.g. by creating an
arbitrary rc file in his home directory.
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Severity set to 'grave' from 'normal'
Request was from Vincent Lefevre <vincent@vinc17.net>
to 775873-submit@bugs.debian.org.
(Wed, 21 Jan 2015 08:27:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Thu, 22 Jan 2015 21:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 22 Jan 2015 21:51:05 GMT) (full text, mbox, link).
Message #22 received at 775873@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 patch: CVE-2015-1196 directory traversal via file rename
This issue was assigned CVE-2015-1196. If you upload fixed packages, please
include the CVE identifier in the changelog.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Changed Bug title to 'patch: CVE-2015-1196 directory traversal via file rename' from 'patch: directory traversal via file rename'
Request was from Jonathan Wiltshire <jmw@debian.org>
to 775873-submit@bugs.debian.org.
(Thu, 22 Jan 2015 21:51:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Thu, 22 Jan 2015 22:09:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 22 Jan 2015 22:09:12 GMT) (full text, mbox, link).
Message #31 received at 775873@bugs.debian.org (full text, mbox, reply):
On Thu, Jan 22, 2015 at 09:49:39PM +0000, Jonathan Wiltshire wrote:
> This issue was assigned CVE-2015-1196. If you upload fixed packages, please
> include the CVE identifier in the changelog.
Seems the previous fix was incomplete, if I understand the traffic
correctly.
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Sat, 24 Jan 2015 09:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 24 Jan 2015 09:54:05 GMT) (full text, mbox, link).
Message #36 received at 775873@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 patch: directory traversal via file rename
Hi Jonathan,
On Thu, Jan 22, 2015 at 09:56:20PM +0000, Jonathan Wiltshire wrote:
> On Thu, Jan 22, 2015 at 09:49:39PM +0000, Jonathan Wiltshire wrote:
> > This issue was assigned CVE-2015-1196. If you upload fixed packages, please
> > include the CVE identifier in the changelog.
>
> Seems the previous fix was incomplete, if I understand the traffic
> correctly.
I think this needs a new CVE. CVE-2015-1196 was assigned for the
following:
[1] https://bugs.debian.org/775227
[2] https://security-tracker.debian.org/tracker/CVE-2015-1196
and the directory traversal via file rename does not seem to have a
CVE yet? (retitling back this subject just to avoid confusion).
Regards,
Salvatore
Changed Bug title to 'patch: directory traversal via file rename' from 'patch: CVE-2015-1196 directory traversal via file rename'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 775873-submit@bugs.debian.org.
(Sat, 24 Jan 2015 09:54:05 GMT) (full text, mbox, link).
Marked as found in versions patch/2.7.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 24 Jan 2015 10:00:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Sat, 24 Jan 2015 10:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 24 Jan 2015 10:09:04 GMT) (full text, mbox, link).
Message #45 received at 775873@bugs.debian.org (full text, mbox, reply):
Hi,
On Sat, Jan 24, 2015 at 10:50:11AM +0100, Salvatore Bonaccorso wrote:
> Control: retitle -1 patch: directory traversal via file rename
>
> Hi Jonathan,
>
> On Thu, Jan 22, 2015 at 09:56:20PM +0000, Jonathan Wiltshire wrote:
> > On Thu, Jan 22, 2015 at 09:49:39PM +0000, Jonathan Wiltshire wrote:
> > > This issue was assigned CVE-2015-1196. If you upload fixed packages, please
> > > include the CVE identifier in the changelog.
> >
> > Seems the previous fix was incomplete, if I understand the traffic
> > correctly.
>
> I think this needs a new CVE. CVE-2015-1196 was assigned for the
> following:
>
> [1] https://bugs.debian.org/775227
> [2] https://security-tracker.debian.org/tracker/CVE-2015-1196
>
> and the directory traversal via file rename does not seem to have a
> CVE yet? (retitling back this subject just to avoid confusion).
I have requested a CVE for this one at
http://www.openwall.com/lists/oss-security/2015/01/24/2
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Sat, 24 Jan 2015 10:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 24 Jan 2015 10:21:05 GMT) (full text, mbox, link).
Message #50 received at 775873@bugs.debian.org (full text, mbox, reply):
On Sat, Jan 24, 2015 at 11:04 AM, Salvatore Bonaccorso
<carnil@debian.org> wrote:
> On Sat, Jan 24, 2015 at 10:50:11AM +0100, Salvatore Bonaccorso wrote:
>> and the directory traversal via file rename does not seem to have a
>> CVE yet? (retitling back this subject just to avoid confusion).
>
> I have requested a CVE for this one at
> http://www.openwall.com/lists/oss-security/2015/01/24/2
OK, but please note that there are three CVE number requests
now[1][2][3]. Fixes are released and the packaging is ready. Should I
wait for the CVE number assignment to note those in changelog or
better if I upload the new version?
Regards,
Laszlo/GCS
[1] https://security-tracker.debian.org/tracker/TEMP-0000000-064450
[2] https://security-tracker.debian.org/tracker/TEMP-0775873-B5D91A
[3] https://security-tracker.debian.org/tracker/TEMP-0775901-CA9436
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775873; Package patch.
(Sat, 24 Jan 2015 10:45:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 24 Jan 2015 10:45:12 GMT) (full text, mbox, link).
Message #55 received at 775873@bugs.debian.org (full text, mbox, reply):
Hi!
On Sat, Jan 24, 2015 at 11:17:03AM +0100, László Böszörményi (GCS) wrote:
> On Sat, Jan 24, 2015 at 11:04 AM, Salvatore Bonaccorso
> <carnil@debian.org> wrote:
> > On Sat, Jan 24, 2015 at 10:50:11AM +0100, Salvatore Bonaccorso wrote:
> >> and the directory traversal via file rename does not seem to have a
> >> CVE yet? (retitling back this subject just to avoid confusion).
> >
> > I have requested a CVE for this one at
> > http://www.openwall.com/lists/oss-security/2015/01/24/2
> OK, but please note that there are three CVE number requests
> now[1][2][3]. Fixes are released and the packaging is ready. Should I
> wait for the CVE number assignment to note those in changelog or
> better if I upload the new version?
IMO, if you have patches ready to fix these issues, you can go ahead
with an upload if CVEs are not assigned by then, since for all but one
we have also a reference in the BTS identifying the issue.
Regards,
Salvatore
p.s.: don't use the TEMP names in the changelog, since they can change
over time.
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sat, 24 Jan 2015 17:21:05 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Jan 2015 17:21:05 GMT) (full text, mbox, link).
Message #60 received at 775873-close@bugs.debian.org (full text, mbox, reply):
Source: patch
Source-Version: 2.7.3-1
We believe that the bug you reported is fixed in the latest version of
patch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775873@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated patch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 23 Jan 2015 20:27:32 +0000
Source: patch
Binary: patch
Architecture: source amd64
Version: 2.7.3-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
patch - Apply a diff file to an original
Closes: 775873 775901
Changes:
patch (2.7.3-1) unstable; urgency=high
.
* New upstream release with security fixes:
- fix all cases of CVE-2015-1196 (closes: #775873, #775901),
- fix infinite loop while applying patch, CVE-2014-9637.
* Remove outdated disable-update-version and add_manpage_time.patch
Debian patches.
* Add homepage field.
* Add watch file.
Checksums-Sha1:
4f268078a1fbca817718bdbdc55800dc248010c2 1795 patch_2.7.3-1.dsc
4191a36e4733935912280650b32644d9c786dfa1 684764 patch_2.7.3.orig.tar.xz
f55e05a44ce413bad4ec4024b1535642a32bb49e 8008 patch_2.7.3-1.debian.tar.xz
ea9a4bac964c7597778c622a8180ead0dd14c8a3 100886 patch_2.7.3-1_amd64.deb
Checksums-Sha256:
1995faba243dd94983feaed23d5426cbdafdeea062716d6e16d3f2293c8cecb3 1795 patch_2.7.3-1.dsc
d09022de9d629561bf4dad44625ef4b1ead15178b210412113531730cdb6f19d 684764 patch_2.7.3.orig.tar.xz
ec7b8b549a0ae8a00edd4655715100e22d85c3f3babc7c83ee0008cc23093632 8008 patch_2.7.3-1.debian.tar.xz
3af466c57953e6a653d703e3f665d8e02f2a4ef862c70f8cac2033aed4dc7096 100886 patch_2.7.3-1_amd64.deb
Files:
4911f5407afb72e201faa3ec9a8191f8 1795 vcs standard patch_2.7.3-1.dsc
29b87be845e4662ab0ca0d48a805ecc6 684764 vcs standard patch_2.7.3.orig.tar.xz
ce27aa99309c2c801fd6f9bcc951aa2c 8008 vcs standard patch_2.7.3-1.debian.tar.xz
c6ce0a0e9a7793382f674a640cac50e7 100886 vcs standard patch_2.7.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUw8gPAAoJENzjEOeGTMi/zlMQAI4/qvk+rLMAlScuQLzerLL7
RGDqAH3I0bVuucHkHhVKIsHGm2AeME4NdE+HZnThrgEL94Opz3fKY8j3arPWgFkR
GQJP4jEo76LLLFfwzB5TVefqN/BviRiG4dYzCTMC5p+ojs75z7z9UX3V3+Ki2Gcr
NxXZ//i4NzaLFGXA8+djvQ2iWBgjx95K00ujxTmCyYVbdRbsQ3t5vFsuETavkzNW
DZw8qJ3rQWhye602Z5jF0Q12YEnbLLY80iOPG26i0zXU0+lNTTw6APuQAsSn+BvN
dlfzl2j9xXdOjTza9LvBhsLGNtSvQev+R8ORGYEmPINwGq/2vF2TucGWmYllS/Wl
0LOgyfXtFm9k5+dZ9jUJM9TUeQRTn6er/7aECu62CjoXIQNspV/1XP66RsH4m4Z4
f0/Z6JL+yGFHJkB8NK7mKZVLW36L8x8vhhmbx+fIE5/NSH/DWfTuUrR22VKIY3B5
o46UUYvde/dxwVK2auIs4KPIUn/YK090NU2TnVv/M2uJgGbbs3phDwCqJukJC1s9
QCeCsQ77Ctn6IHN0a7D1CbQrmYovqdEeDvNYZE7bp1Ty+JxzPl99dpbuTr1kBbYX
p/dmg4V43q2o5FZYSb7j6RnalgA14JuzUaSS/URjphJFiWLDbuba3mXmOxXJ3oHg
tEKZF2rKwjYrdkBBUDxG
=kUjt
-----END PGP SIGNATURE-----
Changed Bug title to 'patch: CVE-2015-1395: directory traversal via file rename' from 'patch: directory traversal via file rename'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 28 Jan 2015 04:18:07 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 12 Mar 2015 07:27:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:31:34 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon