Debian Bug report logs -
#775227
patch: CVE-2015-1196: directory traversal via symlinks
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Mon, 12 Jan 2015 19:27:02 UTC
Severity: normal
Tags: security, upstream
Found in version patch/2.7.1-6
Fixed in version patch/2.7.1-7
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775227; Package patch.
(Mon, 12 Jan 2015 19:27:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: patch
Version: 2.7.1-6
Tags: security
patch now support git-style patches, which allows creating symlinks.
This feature can be abused for directory traversal. As a proof of
concept, applying the attached patch creates a file in /tmp:
$ ls /tmp/moo
/bin/ls: cannot access /tmp/moo: No such file or directory
$ mkdir empty && cd empty
$ patch -p1 < ~/traversal.diff
patching symbolic link tmp
patching file tmp/moo
$ ls /tmp/moo
/tmp/moo
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages patch depends on:
ii libc6 2.19-13
--
Jakub Wilk
[traversal.diff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775227; Package patch.
(Sun, 18 Jan 2015 20:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 18 Jan 2015 20:39:08 GMT) (full text, mbox, link).
Message #8 received at 775227@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 patch: CVE-2015-1196: directory traversal via symlinks
Hi,
This has been assigned CVE-2015-1196 by MITRE.
Regards,
Salvatore
Changed Bug title to 'patch: CVE-2015-1196: directory traversal via symlinks' from 'patch: directory traversal via symlinks'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 775227-submit@bugs.debian.org.
(Sun, 18 Jan 2015 20:39:08 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 19 Jan 2015 06:48:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775227; Package patch.
(Tue, 20 Jan 2015 11:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Grünbacher <andreas.gruenbacher@gmail.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 20 Jan 2015 11:12:05 GMT) (full text, mbox, link).
Message #17 received at 775227@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This fix in the upstream git repository should take care of this bug.
[CVE-2015-1196.diff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775227; Package patch.
(Tue, 20 Jan 2015 11:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 20 Jan 2015 11:39:08 GMT) (full text, mbox, link).
Message #22 received at 775227@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 20, 2015 at 12:08 PM, Andreas Grünbacher
<andreas.gruenbacher@gmail.com> wrote:
> This fix in the upstream git repository should take care of this bug.
Yes, I know as I was the one who reported it to upstream. There are
two more important bugs that I wait fixes for. Will upload those as
soon as possible.
Thanks anyway,
Laszlo/GCS
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#775227; Package patch.
(Tue, 20 Jan 2015 11:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Grünbacher <andreas.gruenbacher@gmail.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 20 Jan 2015 11:51:04 GMT) (full text, mbox, link).
Message #27 received at 775227@bugs.debian.org (full text, mbox, reply):
Well I hope those are fixed as well now.
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Tue, 20 Jan 2015 21:22:39 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Tue, 20 Jan 2015 21:22:39 GMT) (full text, mbox, link).
Message #32 received at 775227-close@bugs.debian.org (full text, mbox, reply):
Source: patch
Source-Version: 2.7.1-7
We believe that the bug you reported is fixed in the latest version of
patch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775227@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated patch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 20 Jan 2015 19:34:19 +0000
Source: patch
Binary: patch
Architecture: source amd64
Version: 2.7.1-7
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
patch - Apply a diff file to an original
Closes: 775227 775540 775793
Changes:
patch (2.7.1-7) unstable; urgency=high
.
* Backport patches from upstream Git tree:
- fix CVE-2015-119: directory traversal via symlinks (closes: #775227),
- infinite loop while applying patch (closes: #775540),
- segmentation fault while applying corrupted patch (closes: #775793).
Checksums-Sha1:
3ccd6e6153fe56cd6c8d8d9da65ac0f7b8364b96 1751 patch_2.7.1-7.dsc
bbd77e7fdebd12348c9f91ee89946bbddd2756be 12448 patch_2.7.1-7.debian.tar.xz
6947302639febb8e6ccc241a8cf96f969830ee89 97324 patch_2.7.1-7_amd64.deb
Checksums-Sha256:
390dd7f91f6a1490fe20a5f773fd93e906648ca267dca82e42541e36a9bab417 1751 patch_2.7.1-7.dsc
f644d8fc6b0e7d3a92fd51ea631f1454645192380f126a96ca89aa6f359a03de 12448 patch_2.7.1-7.debian.tar.xz
0183b9f43e9912d177d81ecc094150d12a825d9cd927f0554df9683c39273626 97324 patch_2.7.1-7_amd64.deb
Files:
fb67b05e757cfefacaacb4cc17f8c786 1751 vcs standard patch_2.7.1-7.dsc
c1390b649f17fc4f4542fac704a49a01 12448 vcs standard patch_2.7.1-7.debian.tar.xz
a4912dd0292de7c728200dc05061cd53 97324 vcs standard patch_2.7.1-7_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUvreBAAoJENzjEOeGTMi/R/wQAKSsnV4e3FhqU44a+UoHWqFI
+gosEDHdiywFMRGXhzBnFFk1RglGQRZzL1zUAHEKPwjNsJlG/H/938mB27ENeCz5
QhKhLH4DuOdHkO/6MRKKGrq2KkyyiDckUgiI9huc/6kGy2LeHBDgYDK4XkXWku6c
fqtPxUbJJhr6F0iK39dnmmbs2m7+zlR8HovC8mh8MjXMKe9n9OlCEg0fW8XBFxQ8
rO+1cFi1omrpo9H+S9cJyui9r6SwNaYIAid4+nHYGyfEb7bHwgS3pXUl5+PR0WLx
M51iyvMRhvPQbG46Dfw38qq3je25G+Yh/ZP/LAMFqRuXSps4klkW64HPdwj6xG56
pTiHdW9XaGMQgZDr4Wh/oRlCI2Sv0+oWPaN7WwCdpuKJDXNK4LmfRDo1wCo2XmUl
bbOhOlNFqFkiPGvUkHasZVkXYvXIsksF0jEXfaOP1DBnDnWvzl4TOF42zBc/UQN/
T+CraOqcIpc/d1Vo3LiN6RiGE5PEDn0KVqtStqBN0WCvzXQxRXgBShC0B+uR+eR8
oz4CNjd3IFrds2gYsbHwyXNdu2BaSvgNXagKjn1dOwIpVYH2kF2ALq54xZyu4Rgo
EkubGqKUqMcFynGp1Ug+bj5GtLZVY4JZlpAkw0lqQR53UIxAW7YBlVucL8BxS7/7
l8aLL1krXbpOG6wJS7R0
=Azom
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 12 Mar 2015 07:26:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:57:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon