PublicDateAtUSN: 2015-01-21
Candidate: CVE-2015-1196
PublicDate: 2015-01-21 18:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
 https://ubuntu.com/security/notices/USN-2651-1
Description:
 GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a
 symlink attack in a patch file.
Ubuntu-Description:
Notes:
 mdeslaur> git-style patch support added in 2.7
 mdeslaur> no upstream fix as of 2015-01-19
 seth-arnold> fix for the fix http://git.savannah.gnu.org/cgit/patch.git/commit/?id=41688ad8ef88bc296f3bed30b171ec73e5876b88
Bugs:
 https://savannah.gnu.org/bugs/?44048
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227
 https://bugzilla.redhat.com/show_bug.cgi?id=1182154
Priority: medium
Discovered-by: Jakub Wilk
Assigned-to: tyhicks
CVSS: 

Patches_patch:
 upstream: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=4e9269a5fc1fe80a1095a92593dd85db871e1fd3
upstream_patch: released (2.7.1-7)
lucid_patch: not-affected (2.6-2ubuntu1)
precise_patch: not-affected (2.6.1-3)
trusty_patch: released (2.7.1-4ubuntu2.3)
trusty/esm_patch: released (2.7.1-4ubuntu2.3)
utopic_patch: released (2.7.1-5ubuntu0.3)
vivid_patch: released (2.7.3-1)
devel_patch: released (2.7.3-1)