Security update for patch
Announcement ID: | SUSE-SU-2015:1019-1 |
Rating: | moderate |
References: | #904519 #913678 #915328 #915329 |
Affected Products: |
An update that solves three vulnerabilities and has one errata is now available.
Description:
The GNU patch utility was updated to 2.7.5 to fix three security issues
and one non-security bug.
The following vulnerabilities were fixed:
* CVE-2015-1196: directory traversal flaw when handling git-style patches.
This could allow an attacker to overwrite arbitrary files by tricking
the user into applying a specially crafted patch. (bsc#913678)
* CVE-2015-1395: directory traversal flaw when handling patches which
rename files. This could allow an attacker to overwrite arbitrary files
by tricking the user into applying a specially crafted patch.
(bsc#915328)
* CVE-2015-1396: directory traversal flaw via symbolic links. This could
allow an attacker to overwrite arbitrary files by tricking the user into
applying a by applying a specially crafted patch. (bsc#915329)
The following bug was fixed:
* bsc#904519: Function names in hunks (from diff -p) are now preserved
in reject files.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2015-247=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-247=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
- patch-2.7.5-7.1
- patch-debuginfo-2.7.5-7.1
- patch-debugsource-2.7.5-7.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
- patch-2.7.5-7.1
- patch-debuginfo-2.7.5-7.1
- patch-debugsource-2.7.5-7.1