SUSE-SU-2015:1019-1: moderate: Security update for patch

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Jun 9 08:05:00 MDT 2015 

   SUSE Security Update: Security update for patch
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:1019-1
Rating:             moderate
References:         #904519 #913678 #915328 #915329 
Cross-References:   CVE-2015-1196 CVE-2015-1395 CVE-2015-1396
                   
Affected Products:
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that solves three vulnerabilities and has one
   errata is now available.

Description:

   The GNU patch utility was updated to 2.7.5 to fix three security issues
   and one non-security bug.

   The following vulnerabilities were fixed:

   * CVE-2015-1196: directory traversal flaw when handling git-style patches.
     This could allow an attacker to overwrite arbitrary files by tricking
     the user into applying a specially crafted patch. (bsc#913678)
   * CVE-2015-1395: directory traversal flaw when handling patches which
     rename files. This could allow an attacker to overwrite arbitrary files
     by tricking the user into applying a specially crafted patch.
     (bsc#915328)
   * CVE-2015-1396: directory traversal flaw via symbolic links. This could
     allow an attacker to overwrite arbitrary files by tricking the user into
     applying a by applying a specially crafted patch. (bsc#915329)

   The following bug was fixed:

   * bsc#904519:  Function names in hunks (from diff -p) are now preserved
     in  reject files.


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2015-247=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-247=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

      patch-2.7.5-7.1
      patch-debuginfo-2.7.5-7.1
      patch-debugsource-2.7.5-7.1

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      patch-2.7.5-7.1
      patch-debuginfo-2.7.5-7.1
      patch-debugsource-2.7.5-7.1


References:

   https://www.suse.com/security/cve/CVE-2015-1196.html
   https://www.suse.com/security/cve/CVE-2015-1395.html
   https://www.suse.com/security/cve/CVE-2015-1396.html
   https://bugzilla.suse.com/904519
   https://bugzilla.suse.com/913678
   https://bugzilla.suse.com/915328
   https://bugzilla.suse.com/915329

More information about the sle-security-updates mailing list