CVE (security issues) of Linux patch utility

[techtonik]

One of the reasons why patch.py was started was insecurity of running Unix patch utility on web server. In 2015 the Unix patch still has security issues. So it is important to put them into checklist and cover with tests to ensure that patch.py doesn't have those deficiencies. Here is the starting list that came today with Ubuntu update:

Version 2.7.1-4ubuntu2.3:

• SECURITY UPDATE: Denial of service via crafted patch
  • debian/patches/CVE-2014-9637.patch: Detect and exit upon memory allocation failures
  • CVE-2014-9637
• SECURITY UPDATE: Directory traversal via crafted patch
  • debian/patches/CVE-2015-1196.patch: Don't allow symlink targets to point outside of the current directory
  • CVE-2015-1196
• SECURITY UPDATE: Directory traversal via crafted patch
  • debian/patches/CVE-2015-1395.patch: Check the validity of both filenames during a rename or copy
  • CVE-2015-1395
• SECURITY UPDATE: Directory traversal via crafted patch
  • debian/patches/CVE-2015-1396.patch: Don't allow symlink targets to point outside of the current directory. This patch corrects the incomplete fix for CVE-2015-1196.
  • CVE-2015-1396

[techtonik]

There are still problems 4 years after - #65