Ubuntu Security Notice 2651-1 - Jakub Wilk discovered that GNU patch did not correctly handle file paths in patch files. An attacker could specially craft a patch file that could overwrite arbitrary files with the privileges of the user invoking the program. This issue only affected Ubuntu 12.04 LTS. Laszlo Boszormenyi discovered that GNU patch did not correctly handle some patch files. An attacker could specially craft a patch file that could cause a denial of service. Various other issues were also addressed.
e43ff81e4eac19b638143530ecd655f45f29338ebb1060483b4634127142c235==========================================================================
Ubuntu Security Notice USN-2651-1
June 22, 2015
patch vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in GNU patch.
Software Description:
- patch: Apply a diff file to an original
Details:
Jakub Wilk discovered that GNU patch did not correctly handle file paths in
patch files. An attacker could specially craft a patch file that could
overwrite arbitrary files with the privileges of the user invoking the program.
This issue only affected Ubuntu 12.04 LTS. (CVE-2010-4651)
László Böszörményi discovered that GNU patch did not correctly handle some
patch files. An attacker could specially craft a patch file that could cause a
denial of service. (CVE-2014-9637)
Jakub Wilk discovered that GNU patch did not correctly handle symbolic links in
git style patch files. An attacker could specially craft a patch file that
could overwrite arbitrary files with the privileges of the user invoking the
program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-1196)
Jakub Wilk discovered that GNU patch did not correctly handle file renames in
git style patch files. An attacker could specially craft a patch file that
could overwrite arbitrary files with the privileges of the user invoking the
program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-1395)
Jakub Wilk discovered the fix for CVE-2015-1196 was incomplete for GNU patch.
An attacker could specially craft a patch file that could overwrite arbitrary
files with the privileges of the user invoking the program. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1396)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
patch 2.7.1-5ubuntu0.3
Ubuntu 14.04 LTS:
patch 2.7.1-4ubuntu2.3
Ubuntu 12.04 LTS:
patch 2.6.1-3ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2651-1
CVE-2010-4651, CVE-2014-9637, CVE-2015-1196, CVE-2015-1395,
CVE-2015-1396
Package Information:
https://launchpad.net/ubuntu/+source/patch/2.7.1-5ubuntu0.3
https://launchpad.net/ubuntu/+source/patch/2.7.1-4ubuntu2.3
https://launchpad.net/ubuntu/+source/patch/2.6.1-3ubuntu0.1
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed