oss-sec mailing list archives
Re: CVE request: patch directory traversal flaw
From: Vasiliy Kulikov <segoon () openwall com>
Date: Fri, 18 Feb 2011 19:51:25 +0300
The patch of Jim Meyering introduces interdiff regression: $ interdiff -z john-1.7.6-jumbo-9.diff.gz john-1.7.6-jumbo-10.diff.gz patch: **** rejecting absolute target file name: /tmp/.private/genie/interdiff-1.7yovIC interdiff: Error applying patch1 to reconstructed file interdiff creates a patch with absolute filenames, but doesn't pass the target filename as an argument to patch. It is fixed in the latest upstream version 0.3.2. The fix itself is as follows: --- patchutils-0.3.1.orig/src/interdiff.c 2011-02-18 17:57:05.000000000 +0300 +++ patchutils-0.3.1/src/interdiff.c 2011-02-18 17:57:24.000000000 +0300 @@ -808,7 +808,7 @@ apply_patch (FILE *patch, const char *fi FILE *w; w = xpipe(PATCH, &child, "w", PATCH, - reverted ? "-Rsp0" : "-sp0", NULL); + reverted ? "-Rsp0" : "-sp0", file, NULL); fprintf (w, "--- %s\n+++ %s\n", file, file); line = NULL; -- Thanks, -- Vasiliy
Current thread:
- CVE request: patch directory traversal flaw Vincent Danen (Jan 05)
- Re: CVE request: patch directory traversal flaw Dan Rosenberg (Jan 05)
- Re: CVE request: patch directory traversal flaw Vincent Danen (Jan 05)
- Re: CVE request: patch directory traversal flaw Steve Beattie (Jan 06)
- Re: CVE request: patch directory traversal flaw Raphael Geissert (Jan 06)
- Re: CVE request: patch directory traversal flaw Josh Bressers (Jan 06)
- Re: CVE request: patch directory traversal flaw Vasiliy Kulikov (Jan 26)
- Re: CVE request: patch directory traversal flaw Vasiliy Kulikov (Feb 18)
- Re: CVE request: patch directory traversal flaw Raphael Geissert (Jan 06)
- Re: CVE request: patch directory traversal flaw Dan Rosenberg (Jan 05)