oss-sec mailing list archives
Re: CVE request: patch directory traversal flaw
From: Raphael Geissert <geissert () debian org>
Date: Thu, 06 Jan 2011 14:44:36 -0600
Vincent Danen wrote:
We got a heads up on a directory traversal flaw in patch. I don't think a CVE name has been assigned to it; could we get one? It allows for the creation of arbitrary files in unexpected places due to the use of '..'. References: https://bugzilla.redhat.com/show_bug.cgi?id=667529 http://osdir.com/ml/bug-patch-gnu/2010-12/msg00000.html
Talking to Steve it looks like some things are not very clear, so I hope the following explains it: * dpkg uses patch to apply patches in source packages format 1.0 and 3.0 quilt (in spite of the name, dpkg uses an internal implementation of quilt) * under the hood, patch is the one traversing directories when applying patches * dpkg has its own set of checks for such traversals and general patch sanity checks. In fact, CVE-2010-0396 was also related to directory traversals. CVE-2010-1679 is about dpkg being happy to pass patches with invalid paths to patch and following symlinks in the .pc directory. That said, I don't know if quilt itself is affected by the .pc directory issue, and if it is, whether it is really relevant. For further reference, DSA-2142-1 addresses the flaws in dpkg: http://lists.debian.org/debian-security-announce/2011/msg00004.html Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: patch directory traversal flaw Vincent Danen (Jan 05)
- Re: CVE request: patch directory traversal flaw Dan Rosenberg (Jan 05)
- Re: CVE request: patch directory traversal flaw Vincent Danen (Jan 05)
- Re: CVE request: patch directory traversal flaw Steve Beattie (Jan 06)
- Re: CVE request: patch directory traversal flaw Raphael Geissert (Jan 06)
- Re: CVE request: patch directory traversal flaw Josh Bressers (Jan 06)
- Re: CVE request: patch directory traversal flaw Vasiliy Kulikov (Jan 26)
- Re: CVE request: patch directory traversal flaw Vasiliy Kulikov (Feb 18)
- Re: CVE request: patch directory traversal flaw Raphael Geissert (Jan 06)
- Re: CVE request: patch directory traversal flaw Dan Rosenberg (Jan 05)