Fedora has updated to version 2.7.3 in SVN, with an update candidate currently in QA: https://admin.fedoraproject.org/updates/FEDORA-2015-1134/patch-2.7.3-1.fc21 It fixes CVE-2014-9637, a local DoS issue: https://bugzilla.redhat.com/show_bug.cgi?id=1185262 It also fixes CVE-2015-1196, a directory traversal issue: https://bugzilla.redhat.com/show_bug.cgi?id=1182154 However, as noted in that bug and here: http://openwall.com/lists/oss-security/2015/01/24/2 http://openwall.com/lists/oss-security/2015/01/24/3 there remain more directory traversal issues, so another update is likely coming. I've asked for a freeze push request for Cauldron for 2.7.3 for now and am waiting on the other issues before updating again and for Mageia 4. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Thomas Backlund has noted some potential issues that these fixes will cause: https://ml.mageia.org/l/arc/dev/2015-01/msg00770.html We can proceed with patience before pushing any updates for this (including in Cauldron).
(In reply to David Walser from comment #0) > However, as noted in that bug and here: > http://openwall.com/lists/oss-security/2015/01/24/2 > http://openwall.com/lists/oss-security/2015/01/24/3 > > there remain more directory traversal issues, so another update is likely > coming. CVE-2015-1395 and CVE-2015-1396 have been assigned for those issues: http://openwall.com/lists/oss-security/2015/01/27/28 http://openwall.com/lists/oss-security/2015/01/27/29
Summary: patch new security issues CVE-2014-9637 and CVE-2015-1196 => patch new security issues CVE-2014-9637, CVE-2015-1196, CVE-2015-1395, and CVE-2015-1396
According to the RedHat bugs, 2.7.3 fixes CVE-2015-1395 and 2.7.4 fixes CVE-2015-1396: https://bugzilla.redhat.com/show_bug.cgi?id=1184490 https://bugzilla.redhat.com/show_bug.cgi?id=1186764 Thomas, Fedora's commit message for the 2.7.4 update says this: "2.7.4, including a better fix for CVE-2015-1196 that still allows symlinks referencing ".." to be created." Does that fix the problem that you mentioned earlier?
Assignee: bugsquad => tmb
URL: (none) => http://lwn.net/Vulnerabilities/631502/
Fedora has issued an advisory on January 25: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html The 2.7.4 update is currently in QA: https://admin.fedoraproject.org/updates/FEDORA-2015-1553/patch-2.7.4-1.fc21
Fedora advisory for the 2.7.4 from February 2: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149140.html
(In reply to David Walser from comment #3) > Thomas, Fedora's commit message for the 2.7.4 update says this: > "2.7.4, including a better fix for CVE-2015-1196 that still allows symlinks > referencing ".." to be created." > > Does that fix the problem that you mentioned earlier? I will verify it later today
So, one week late, but I've now confirmed 2.7.4 works correctly Assigning to QA SRPM: patch-2.7.4-1.mga4.src.rpm i586: patch-2.7.4-1.mga4.i586.rpm x86_64: patch-2.7.4-1.mga4.x86_64.rpm
Whiteboard: MGA4TOO => (none)Hardware: i586 => AllVersion: Cauldron => 4Assignee: tmb => qa-bugs
Thanks Thomas! Advisory: ======================== Updated patch package fixes security vulnerabilities: It was reported that a crafted diff file (attached) can make patch to eat memory and later segfault (CVE-2014-9637). It was reported that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch (CVE-2015-1395). GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via a symlink attack in a patch file (CVE-2015-1196). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9637 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1395 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149140.html
Note to self: remove "(attached)" when uploading
Oops, sorry about that. I'll fix it here so it won't be forgotten. Advisory: ======================== Updated patch package fixes security vulnerabilities: It was reported that a crafted diff file can make patch eat memory and later segfault (CVE-2014-9637). It was reported that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch (CVE-2015-1395). GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via a symlink attack in a patch file (CVE-2015-1196). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9637 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1395 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149140.html
MGA4-64 on HP Probook 6555b No installation issues. Tested as described i Debian bug 775873 after dowloading test file traversal2.diff cd /tmp > ls /tmp/moo ls: cannot access /tmp/moo: No such file or directory > mkdir empty && cd empty > patch -p1 < ~/Downloads/traversal2.diff patching file moo Ignoring potentially dangerous file name ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo Cannot rename file without two valid file names In /tmp/empty file moo is created containing text "moo".
CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK
MGA4-32 on Acer D620 No installation issues. Applied the same test as Comment 11 and get the same results.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0068.html
Status: NEW => RESOLVEDResolution: (none) => FIXED