[arch-security] [ASA-201501-24] patch: multiple issues
anthraxx at archlinux.org
Wed Jan 28 00:43:23 UTC 2015
Arch Linux Security Advisory ASA-201501-24
Date : 2015-01-28
CVE-ID : CVE-2015-1196 CVE-2014-9637
Package : patch
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package patch before version 2.7.3-1 is vulnerable to directory
traversal and denial of service via memory consumption.
Upgrade to 2.7.3-1.
# pacman -Syu "patch>=2.7.3-1"
The problems have been fixed upstream in version 2.7.3.
- CVE-2015-1196 (directory traversal)
A directory traversal flaw was discovered that allows remote attackers
to write to arbitrary files via a symlink attack in a patch file. This
could allow an attacker to overwrite arbitrary files by applying a
specially crafted patch, with the privileges of the user running patch.
- CVE-2014-9637 (denial of service)
It was reported that a crafted patch file can consume all available
memory and later segfault resulting in denial of service.
A remote attacker is able to write to arbitrary files via a symlink
attack or consume all available memory via a crafted patch file leading
to denial of service.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security