ID CVE-2014-9637
Summary GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file.
References
Vulnerable Configurations
  • Fedora 20
    cpe:2.3:o:fedoraproject:fedora:20
  • Fedora 21
    cpe:2.3:o:fedoraproject:fedora:21
  • cpe:2.3:o:mageia:mageia:4.0
    cpe:2.3:o:mageia:mageia:4.0
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.10
    cpe:2.3:o:canonical:ubuntu_linux:14.10
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • cpe:2.3:a:gnu:patch:2.7.2
    cpe:2.3:a:gnu:patch:2.7.2
CVSS
Base: 7.1
Impact:
Exploitability:
CWE CWE-399
CAPEC
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-050.NASL
    description Updated patch package fixes security vulnerabilities : It was reported that a crafted diff file can make patch eat memory and later segfault (CVE-2014-9637). It was reported that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch (CVE-2015-1395). GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via a symlink attack in a patch file (CVE-2015-1196).
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 81933
    published 2015-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81933
    title Mandriva Linux Security Advisory : patch (MDVSA-2015:050)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2651-1.NASL
    description Jakub Wilk discovered that GNU patch did not correctly handle file paths in patch files. An attacker could specially craft a patch file that could overwrite arbitrary files with the privileges of the user invoking the program. This issue only affected Ubuntu 12.04 LTS. (CVE-2010-4651) Laszlo Boszormenyi discovered that GNU patch did not correctly handle some patch files. An attacker could specially craft a patch file that could cause a denial of service. (CVE-2014-9637) Jakub Wilk discovered that GNU patch did not correctly handle symbolic links in git style patch files. An attacker could specially craft a patch file that could overwrite arbitrary files with the privileges of the user invoking the program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1196) Jakub Wilk discovered that GNU patch did not correctly handle file renames in git style patch files. An attacker could specially craft a patch file that could overwrite arbitrary files with the privileges of the user invoking the program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1395) Jakub Wilk discovered the fix for CVE-2015-1196 was incomplete for GNU patch. An attacker could specially craft a patch file that could overwrite arbitrary files with the privileges of the user invoking the program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1396). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 84339
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84339
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : patch vulnerabilities (USN-2651-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-1134.NASL
    description Security fixes for CVE-2014-9637 and CVE-2015-1196. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-01-30
    plugin id 81112
    published 2015-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81112
    title Fedora 21 : patch-2.7.3-1.fc21 (2015-1134)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-138.NASL
    description Updated patch package fixes security vulnerabilities : It was reported that a crafted diff file can make patch eat memory and later segfault (CVE-2014-9637). It was reported that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch (CVE-2015-1395). GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via a symlink attack in a patch file (CVE-2015-1196).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82391
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82391
    title Mandriva Linux Security Advisory : patch (MDVSA-2015:138)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-1165.NASL
    description Security fixes for CVE-2014-9637, CVE-2015-1196, and an infinite loop with a crafted diff. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-01-30
    plugin id 82596
    published 2015-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82596
    title Fedora 20 : patch-2.7.5-1.fc20 (2015-1165)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1162-1.NASL
    description This update for patch fixes several issues. These security issues were fixed : - CVE-2018-1000156: patch: Malicious patch files cause ed to execute arbitrary commands (bsc#1088420). - CVE-2014-9637: Prevent DoS by remote attackers (memory consumption and segmentation fault) via a crafted diff file (bsc#914891). - CVE-2016-10713: Prevent out-of-bounds access within pch_write_line() that could have lead to DoS via a crafted input file (bsc#1080918). - CVE-2010-4651: Fixed a directory traversal bug (bsc#662957) : Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 109599
    published 2018-05-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109599
    title SUSE SLES11 Security Update : patch (SUSE-SU-2018:1162-1)
refmap via4
bid 72286
confirm
fedora
  • FEDORA-2015-1134
  • FEDORA-2015-1165
mlist [oss-security] 20150122 Re: CVE request: directory traversal flaw in patch
ubuntu USN-2651-1
Last major update 25-08-2017 - 14:29
Published 25-08-2017 - 14:29
Last modified 29-08-2017 - 21:16
Back to Top