Control: tags -1 upstream Hi,
On Wed, Jan 28, 2015 at 8:10 AM, Martin Pitt <mar...@piware.de> wrote: > Michael Biebl [2015-01-26 1:55 +0100]: >> the latest update of patch broke the systemd package and causes it to >> FTBFS: > > BTW, at least glibc is also affected, and judging by the recent slew > of autopkgtest failures in Ubuntu there's some more. We really need to > get this fixed fast. There were several security flaws in patch recently. One of these is the possibility of writing arbitrary files via a symlink attack in a patch file _and_ directory traversal via symlinks. It is named as CVE-2015-1196[1]. Upstream fixed it and I've uploaded it. It seems upstream put too much restriction on symlinks, Cc-ing him. But will investigate this myself as well in the afternoon. Regards, Laszlo/GCS [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
