Overview

File _patchinfo of Package patchinfo.655

<patchinfo incident="655">
  <issue id="915328" tracker="bnc">VUL-1: CVE-2015-1395: patch: directory traversal via file rename</issue>
  <issue id="904519" tracker="bnc">patch no longer includes C function names in reject files</issue>
  <issue id="915329" tracker="bnc">VUL-1: CVE-2015-1396: patch: directory traversal via symlinks</issue>
  <issue id="913678" tracker="bnc">VUL-0: CVE-2015-1196: patch: directory traversal via symlinks</issue>
  <issue id="CVE-2015-1196" tracker="cve" />
  <issue id="CVE-2015-1395" tracker="cve" />
  <issue id="CVE-2015-1396" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>jdelvare</packager>
  <description>The GNU patch utility was updated to 2.7.5 to fix three security issues and one non-security bug.

The following vulnerabilities were fixed:

* CVE-2015-1196: directory traversal flaw when handling git-style patches. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#913678)
* CVE-2015-1395: directory traversal flaw when handling patches which rename files. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a specially crafted patch. (bsc#915328) 
* CVE-2015-1396: directory traversal flaw via symbolic links. This could allow an attacker to overwrite arbitrary files by tricking the user into applying a by applying a specially crafted patch. (bsc#915329)

The following bug was fixed:

* bsc#904519:  Function names in hunks (from diff -p) are now preserved in  reject files.
</description>
  <summary>Security update for patch</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places