Security update for patch

SUSE Security Update: Security update for patch
Announcement ID: SUSE-SU-2015:1019-1
Rating: moderate
References: #904519 #913678 #915328 #915329
Affected Products:
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Desktop 12

  • An update that solves three vulnerabilities and has one errata is now available.

    Description:

    The GNU patch utility was updated to 2.7.5 to fix three security issues
    and one non-security bug.

    The following vulnerabilities were fixed:

    * CVE-2015-1196: directory traversal flaw when handling git-style patches.
    This could allow an attacker to overwrite arbitrary files by tricking
    the user into applying a specially crafted patch. (bsc#913678)
    * CVE-2015-1395: directory traversal flaw when handling patches which
    rename files. This could allow an attacker to overwrite arbitrary files
    by tricking the user into applying a specially crafted patch.
    (bsc#915328)
    * CVE-2015-1396: directory traversal flaw via symbolic links. This could
    allow an attacker to overwrite arbitrary files by tricking the user into
    applying a by applying a specially crafted patch. (bsc#915329)

    The following bug was fixed:

    * bsc#904519: Function names in hunks (from diff -p) are now preserved
    in reject files.

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 12:
      zypper in -t patch SUSE-SLE-SERVER-12-2015-247=1
    • SUSE Linux Enterprise Desktop 12:
      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-247=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
      • patch-2.7.5-7.1
      • patch-debuginfo-2.7.5-7.1
      • patch-debugsource-2.7.5-7.1
    • SUSE Linux Enterprise Desktop 12 (x86_64):
      • patch-2.7.5-7.1
      • patch-debuginfo-2.7.5-7.1
      • patch-debugsource-2.7.5-7.1

    References: