Bug 15142

Summary: patch new security issues CVE-2014-9637, CVE-2015-1196, CVE-2015-1395, and CVE-2015-1396
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/631502/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: patch-2.7.1-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-01-27 16:57:07 CET 
Fedora has updated to version 2.7.3 in SVN, with an update candidate currently in QA:
https://admin.fedoraproject.org/updates/FEDORA-2015-1134/patch-2.7.3-1.fc21

It fixes CVE-2014-9637, a local DoS issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1185262

It also fixes CVE-2015-1196, a directory traversal issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1182154

However, as noted in that bug and here:
http://openwall.com/lists/oss-security/2015/01/24/2
http://openwall.com/lists/oss-security/2015/01/24/3

there remain more directory traversal issues, so another update is likely coming.

I've asked for a freeze push request for Cauldron for 2.7.3 for now and am waiting on the other issues before updating again and for Mageia 4.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-27 16:57:21 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-01-27 17:27:32 CET 
Thomas Backlund has noted some potential issues that these fixes will cause:
https://ml.mageia.org/l/arc/dev/2015-01/msg00770.html

We can proceed with patience before pushing any updates for this (including in Cauldron).
Comment 2 David Walser 2015-01-28 13:33:28 CET 
(In reply to David Walser from comment #0)
> However, as noted in that bug and here:
> http://openwall.com/lists/oss-security/2015/01/24/2
> http://openwall.com/lists/oss-security/2015/01/24/3
> 
> there remain more directory traversal issues, so another update is likely
> coming.

CVE-2015-1395 and CVE-2015-1396 have been assigned for those issues:
http://openwall.com/lists/oss-security/2015/01/27/28
http://openwall.com/lists/oss-security/2015/01/27/29

Summary: patch new security issues CVE-2014-9637 and CVE-2015-1196 => patch new security issues CVE-2014-9637, CVE-2015-1196, CVE-2015-1395, and CVE-2015-1396

Comment 3 David Walser 2015-02-03 17:51:48 CET 
According to the RedHat bugs, 2.7.3 fixes CVE-2015-1395 and 2.7.4 fixes CVE-2015-1396:
https://bugzilla.redhat.com/show_bug.cgi?id=1184490
https://bugzilla.redhat.com/show_bug.cgi?id=1186764

Thomas, Fedora's commit message for the 2.7.4 update says this:
"2.7.4, including a better fix for CVE-2015-1196 that still allows symlinks referencing ".." to be created."

Does that fix the problem that you mentioned earlier?

Assignee: bugsquad => tmb

David Walser 2015-02-03 17:52:00 CET

URL: (none) => http://lwn.net/Vulnerabilities/631502/

Comment 4 David Walser 2015-02-03 17:54:29 CET 
Fedora has issued an advisory on January 25:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html

The 2.7.4 update is currently in QA:
https://admin.fedoraproject.org/updates/FEDORA-2015-1553/patch-2.7.4-1.fc21
Comment 5 David Walser 2015-02-05 18:00:48 CET 
Fedora advisory for the 2.7.4 from February 2:
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149140.html
Comment 6 Thomas Backlund 2015-02-05 18:03:41 CET 
(In reply to David Walser from comment #3)

> Thomas, Fedora's commit message for the 2.7.4 update says this:
> "2.7.4, including a better fix for CVE-2015-1196 that still allows symlinks
> referencing ".." to be created."
> 
> Does that fix the problem that you mentioned earlier?

I will verify it later today
Comment 7 Thomas Backlund 2015-02-12 17:50:46 CET 
So, one week late, but I've now confirmed 2.7.4 works correctly

Assigning to QA


SRPM:
patch-2.7.4-1.mga4.src.rpm


i586:
patch-2.7.4-1.mga4.i586.rpm


x86_64:
patch-2.7.4-1.mga4.x86_64.rpm

Whiteboard: MGA4TOO => (none)
Hardware: i586 => All
Version: Cauldron => 4
Assignee: tmb => qa-bugs

Comment 8 David Walser 2015-02-12 18:06:47 CET 
Thanks Thomas!

Advisory:
========================

Updated patch package fixes security vulnerabilities:

It was reported that a crafted diff file (attached) can make patch to eat
memory and later segfault (CVE-2014-9637).

It was reported that the versions of the patch utility that support Git-style
patches are vulnerable to a directory traversal flaw. This could allow an
attacker to overwrite arbitrary files by applying a specially crafted patch,
with the privileges of the user running patch (CVE-2015-1395).

GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via
a symlink attack in a patch file (CVE-2015-1196).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9637
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1395
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149140.html
Comment 9 claire robinson 2015-02-12 18:09:08 CET 
Note to self: remove "(attached)" when uploading
Comment 10 David Walser 2015-02-12 18:12:29 CET 
Oops, sorry about that.  I'll fix it here so it won't be forgotten.

Advisory:
========================

Updated patch package fixes security vulnerabilities:

It was reported that a crafted diff file can make patch eat memory and later
segfault (CVE-2014-9637).

It was reported that the versions of the patch utility that support Git-style
patches are vulnerable to a directory traversal flaw. This could allow an
attacker to overwrite arbitrary files by applying a specially crafted patch,
with the privileges of the user running patch (CVE-2015-1395).

GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via
a symlink attack in a patch file (CVE-2015-1196).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9637
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1395
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149140.html
Comment 11 Herman Viaene 2015-02-17 15:33:16 CET 
MGA4-64 on HP Probook 6555b
No installation issues.
Tested as described i  Debian bug 775873 after dowloading test file traversal2.diff
cd /tmp
> ls /tmp/moo
ls: cannot access /tmp/moo: No such file or directory
> mkdir empty && cd empty
> patch -p1 < ~/Downloads/traversal2.diff 
patching file moo
Ignoring potentially dangerous file name ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
Cannot rename file without two valid file names

In /tmp/empty file moo is created containing text "moo".

CC: (none) => herman.viaene

Herman Viaene 2015-02-17 15:33:41 CET

Whiteboard: (none) => MGA4-64-OK

Comment 12 Herman Viaene 2015-02-17 15:42:19 CET 
MGA4-32 on Acer D620
No installation issues.
Applied the same test as Comment 11 and get the same results.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 13 claire robinson 2015-02-17 18:41:07 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2015-02-17 19:38:51 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0068.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED