Bug 913678 (CVE-2015-1196) - VUL-0: CVE-2015-1196: patch: directory traversal via symlinks
Summary: VUL-0: CVE-2015-1196: patch: directory traversal via symlinks
Status: RESOLVED FIXED
Alias: CVE-2015-1196
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Jean Delvare
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/112770/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-19 12:21 UTC by Victor Pereira
Modified: 2016-10-05 06:36 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-19 12:21:11 UTC 
rh#1182154

It was reported [1] that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch. A reproducer for this issue is available in [1].

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1182154
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1196
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1196.html
Comment 1 Swamp Workflow Management 2015-01-19 23:05:26 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-01-23 01:16:07 UTC 
For openSUSE< submit request to devel:tools / patch:
https://build.opensuse.org/request/show/282506

Maintenance request for openSUSE 13.1 and 13.2:
https://build.opensuse.org/request/show/282508
Comment 3 Swamp Workflow Management 2015-02-03 09:05:06 UTC 
openSUSE-SU-2015:0199-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 904519,913678
CVE References: CVE-2015-1196
Sources used:
openSUSE 13.2 (src):    patch-2.7.3-7.4.1
openSUSE 13.1 (src):    patch-2.7.3-4.4.1
Comment 4 Johannes Segitz 2015-02-04 08:55:39 UTC 
This was introduced in 2.7 so SLE 12 is also affected. Can you please provide submits?
Comment 5 Johannes Segitz 2015-02-04 09:13:32 UTC 
Also the fixes are incomplete, see bnc#915329
Comment 6 Jean Delvare 2015-02-16 10:38:33 UTC 
GNU patch version 2.7.3 breaks legitimate use cases of relative symbolic links. Upstream has reverted the security hot fix:

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=290ffcb488bea5caec6d76a34ea8368d00c68875

And instead implemented a secure way of handling symbolic links:

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=025a54b789bd88ed15430f8633514e296826983e
http://git.savannah.gnu.org/cgit/patch.git/commit/?id=71a3172c7ecb1fad7965843ba373e99a034ee1ce

This new approach no longer breaks legitimate use cases. This is all in GNU patch version 2.7.4, so I think we want to trigger another maintenance update.
Comment 7 Jean Delvare 2015-02-16 11:40:25 UTC 
I have created bug #918058 to track the regression in openSUSE 13.1, 13.2 and Factory.
Comment 8 Johannes Segitz 2015-04-10 08:05:12 UTC 
(In reply to Jean Delvare from comment #6)
Can you please submit for SLE 12? Thanks
Comment 9 Jean Delvare 2015-06-02 14:09:10 UTC 
Submitted:

https://build.suse.de/request/show/58910
Comment 10 Swamp Workflow Management 2015-06-09 14:05:22 UTC 
SUSE-SU-2015:1019-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 904519,913678,915328,915329
CVE References: CVE-2015-1196,CVE-2015-1395,CVE-2015-1396
Sources used:
SUSE Linux Enterprise Server 12 (src):    patch-2.7.5-7.1
SUSE Linux Enterprise Desktop 12 (src):    patch-2.7.5-7.1
Comment 11 Jean Delvare 2016-10-05 06:36:26 UTC 
Fixed long ago, closing.