CVE-2015-1395
https://notcve.org/view.php?id=CVE-2015-1395
Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a .. (dot dot) in a diff file name. Una vulnerabilidad de salto de directorio en GNU en versiones de parche que soportan parcheo Git-style en versiones anteriores a la 2.7.3 permite que atacantes remotos escriban en archivos arbitrarios con los permisos del usuario objetivo mediante un ".." (dot dot) en el nombre de un archivo diff. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154214.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html http://www.openwall.com/lists/oss-security/2015/01/27/28 http://www.securityfocus.com/bid/72846 http://www.ubuntu.com/usn/USN-2651-1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775873 https://bugzilla.redhat.com/show_bug.cgi?id=1184490 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=17953b5893f7c9835f0dd2a704 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2014-9637
https://notcve.org/view.php?id=CVE-2014-9637
GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file. GNU parche 2.7.2 y anteriores permite que atacantes remotos provoquen una denegación de servicio (consumo de memoria y error de segmentación) mediante un archivo diff manipulado. • http://advisories.mageia.org/MGASA-2015-0068.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154214.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148953.html http://www.openwall.com/lists/oss-security/2015/01/22/7 http://www.securityfocus.com/bid/72286 http://www.ubuntu.com/usn/USN-2651-1 https://bugzilla.redhat.com/show_bug.cgi?id=1185262 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=0c08d7a902c6fdd49b704623a12d8d672ef18944 • CWE-399: Resource Management Errors •
CVE-2015-1196
https://notcve.org/view.php?id=CVE-2015-1196
GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. El parche de GNU 2.7.1 permite a atacantes remotos escribir a ficheros arbitrarios a través de un ataque de enlace simbólico en un fichero del parche. • http://git.savannah.gnu.org/cgit/patch.git/commit/?id=4e9269a5fc1fe80a1095a92593dd85db871e1fd3 http://lists.opensuse.org/opensuse-updates/2015-02/msg00013.html http://seclists.org/oss-sec/2015/q1/173 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/72074 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227 https://bugzilla.redhat.com/show_bug.cgi?id=1182154 https://exchange.xforce.ibmcloud.com/vulnerabilities/99967 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •