[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-patch] [PATCH] do not let a malicious patch create files above
From: |
Jim Meyering |
Subject: |
Re: [bug-patch] [PATCH] do not let a malicious patch create files above current directory |
Date: |
Thu, 03 Feb 2011 22:49:29 +0100 |
Andreas Gruenbacher wrote:
> ftp://alpha.gnu.org/gnu/patch/:
>
> patch-2.6.1.109-685a.tar.gz
Thanks for making the release.
Sorry I didn't think to update NEWS sooner:
>From 4ba4ef8f2820af172e77bf419e80ecdf4de72f93 Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Thu, 3 Feb 2011 22:46:58 +0100
Subject: [PATCH] doc: mention the fix for CVE-2010-4651
* NEWS: Mention the fix.
---
ChangeLog | 5 +++++
NEWS | 2 ++
2 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 20810cb..c213230 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-02-03 Jim Meyering <address@hidden>
+
+ doc: mention the fix for CVE-2010-4651
+ * NEWS: Mention the fix.
+
2011-02-01 Jim Meyering <address@hidden>
and Andreas Gruenbacher <address@hidden>
diff --git a/NEWS b/NEWS
index c727782..65d3796 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,5 @@
+* patch now rejects a destination file name that is absolute or that contains
+ a component of "..". This addresses CVE-2010-4651,
* Support for most features of the "diff --git" format: renames and copies,
permission changes, symlink diffs. Caveats:
+ Binary diffs are not supported yet; patch will complain and skip them.
--
1.7.4.2.g597a6
Re: [bug-patch] [PATCH] do not let a malicious patch create files above current directory, Jim Meyering, 2011/02/01