Updated patch packages fix security vulnerabilities
Publication date: 17 Feb 2015Modification date: 17 Feb 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-9637 , CVE-2015-1196 , CVE-2015-1395
Description
Updated patch package fixes security vulnerabilities:
It was reported that a crafted diff file can make patch eat memory and later
segfault (CVE-2014-9637).
It was reported that the versions of the patch utility that support Git-style
patches are vulnerable to a directory traversal flaw. This could allow an
attacker to overwrite arbitrary files by applying a specially crafted patch,
with the privileges of the user running patch (CVE-2015-1395).
GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via
a symlink attack in a patch file (CVE-2015-1196).
References
- https://bugs.mageia.org/show_bug.cgi?id=15142
- https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html
- https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149140.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9637
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1395
SRPMS
4/core
- patch-2.7.4-1.mga4