Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in patch
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in patch
ID: USN-2651-1
Distribution: Ubuntu
Plattformen: Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10
Datum: Di, 23. Juni 2015, 08:31
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9637
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1396
Applikationen: patch

Originalnachricht

 

--===============5838188491626630142==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
 boundary="GvXjxJ+pjyke8COw"
Content-Disposition: inline


--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inlin
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-2651-1
June 22, 2015

patch vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in GNU patch.

Software Description:
- patch: Apply a diff file to an original

Details:

Jakub Wilk discovered that GNU patch did not correctly handle file paths in
patch files. An attacker could specially craft a patch file that could
overwrite arbitrary files with the privileges of the user invoking the program.
This issue only affected Ubuntu 12.04 LTS. (CVE-2010-4651)

László Böszörményi discovered that GNU patch did not correctly handle some
patch files. An attacker could specially craft a patch file that could cause a
denial of service. (CVE-2014-9637)

Jakub Wilk discovered that GNU patch did not correctly handle symbolic links in
git style patch files. An attacker could specially craft a patch file that
could overwrite arbitrary files with the privileges of the user invoking the
program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-1196)

Jakub Wilk discovered that GNU patch did not correctly handle file renames in
git style patch files. An attacker could specially craft a patch file that
could overwrite arbitrary files with the privileges of the user invoking the
program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-1395)

Jakub Wilk discovered the fix for CVE-2015-1196 was incomplete for GNU patch.
An attacker could specially craft a patch file that could overwrite arbitrary
files with the privileges of the user invoking the program. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1396)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  patch                           2.7.1-5ubuntu0.3

Ubuntu 14.04 LTS:
  patch                           2.7.1-4ubuntu2.3

Ubuntu 12.04 LTS:
  patch                           2.6.1-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2651-1
  CVE-2010-4651, CVE-2014-9637, CVE-2015-1196, CVE-2015-1395,
  CVE-2015-1396

Package Information:
  https://launchpad.net/ubuntu/+source/patch/2.7.1-5ubuntu0.3
  https://launchpad.net/ubuntu/+source/patch/2.7.1-4ubuntu2.3
  https://launchpad.net/ubuntu/+source/patch/2.6.1-3ubuntu0.1


--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJViJ/iAAoJENaSAD2qAscKe7QQAMIvkGP00lxcY5nNf7NZKH4E
LPzd+J9n7j6BYizUgmyEK9NRLB0CwSzZpP4ez8ZcdC6iyQtqvDzcAsOgex4qKp51
0tqoFyJ+aRgGwfp+TM6AwBj3PO9HtI2EvYZlO/99TDc9VS5SwAliao1eGejgSjB7
m4vpf7DokGEdNXiTHsfXBEQm4cO0u+J54PXthxd+Wx87Ihiv5yOvgWGO0K9/lupn
hmEeRPxNHlO9mwYvzunXG9QlVT6Vw4MDIe/QfwtboXQwtP4jxYIFWwJPMQug2nOs
kWwgHENsQ8V8bLFDQ65U3+dV7JqXjFz5wZW0AiNFb0onvSw/3NG+XCzXRsBMbZ+d
GeCsFgI6n7c3L/QqaIAX73CI++72maSgYNEoEPUXeDAlvc2NPhwd9WGOHwnNY+Zk
FYTJLF5rpfMFVUrO1OB9Pc9rl7xXss14bh/8immFq2cyQsCd5L5w+nkmWDlQZL7I
PSL8qdbNfLABeCERFqzz5e6qe36GAm9S6eJLKp4DjfErEJ6+mIwq1BQTfwY0pzyv
Gm5xbwmtfCs8Z3gQrNZhSsdQGBFXaxoemRdYCshYzsNsch0SgN2rE9cbMKwCgXjp
0o8iSAmsEOVacGTwA0kt+oKJCxkiG2QEy+o7YKmcLVitHDwe6jTAjR3EA+sqEFlt
NYsIVPEvTmZwD80JXna1
=DmkT
-----END PGP SIGNATURE-----

--GvXjxJ+pjyke8COw--


--===============5838188491626630142==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============5838188491626630142==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung