Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2015:1019-1

Опубликовано: 03 июн. 2015
Источник: suse-cvrf

Описание

Security update for patch

The GNU patch utility was updated to 2.7.5 to fix three security issues and one non-security bug.

The following vulnerabilities were fixed:

  • CVE-2015-1196: directory traversal flaw when handling git-style patches. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#913678)
  • CVE-2015-1395: directory traversal flaw when handling patches which rename files. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#915328)
  • CVE-2015-1396: directory traversal flaw via symbolic links. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a by applying a specially crafted patch. (bsc#915329)

The following bug was fixed:

  • bsc#904519: Function names in hunks (from diff -p) are now preserved in reject files.

Список пакетов

SUSE Linux Enterprise Desktop 12
patch-2.7.5-7.1
SUSE Linux Enterprise Server 12
patch-2.7.5-7.1
SUSE Linux Enterprise Server for SAP Applications 12
patch-2.7.5-7.1

Ссылки

Описание

GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.

Затронутые продукты
SUSE Linux Enterprise Desktop 12:patch-2.7.5-7.1
SUSE Linux Enterprise Server 12:patch-2.7.5-7.1
SUSE Linux Enterprise Server for SAP Applications 12:patch-2.7.5-7.1
Ссылки

Описание

Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a .. (dot dot) in a diff file name.

Затронутые продукты
SUSE Linux Enterprise Desktop 12:patch-2.7.5-7.1
SUSE Linux Enterprise Server 12:patch-2.7.5-7.1
SUSE Linux Enterprise Server for SAP Applications 12:patch-2.7.5-7.1
Ссылки

Описание

A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. A remote attacker can write to arbitrary files via a symlink attack in a patch file. NOTE: this issue exists because of an incomplete fix for CVE-2015-1196.

Затронутые продукты
SUSE Linux Enterprise Desktop 12:patch-2.7.5-7.1
SUSE Linux Enterprise Server 12:patch-2.7.5-7.1
SUSE Linux Enterprise Server for SAP Applications 12:patch-2.7.5-7.1
Ссылки