Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : patch vulnerabilities (USN-2651-1)

Ubuntu Security Notice (C) 2015-2017 Canonical, Inc. / NASL script (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Jakub Wilk discovered that GNU patch did not correctly handle file
paths in patch files. An attacker could specially craft a patch file
that could overwrite arbitrary files with the privileges of the user
invoking the program. This issue only affected Ubuntu 12.04 LTS.
(CVE-2010-4651)

Laszlo Boszormenyi discovered that GNU patch did not correctly
handle some patch files. An attacker could specially craft a patch
file that could cause a denial of service. (CVE-2014-9637)

Jakub Wilk discovered that GNU patch did not correctly handle symbolic
links in git style patch files. An attacker could specially craft a
patch file that could overwrite arbitrary files with the privileges of
the user invoking the program. This issue only affected Ubuntu 14.04
LTS and Ubuntu 14.10. (CVE-2015-1196)

Jakub Wilk discovered that GNU patch did not correctly handle file
renames in git style patch files. An attacker could specially craft a
patch file that could overwrite arbitrary files with the privileges of
the user invoking the program. This issue only affected Ubuntu 14.04
LTS and Ubuntu 14.10. (CVE-2015-1395)

Jakub Wilk discovered the fix for CVE-2015-1196 was incomplete for GNU
patch. An attacker could specially craft a patch file that could
overwrite arbitrary files with the privileges of the user invoking the
program. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-1396).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected patch package.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N)
CVSS Temporal Score : 6.4
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 84339 ()

Bugtraq ID: 46768
72074
72286
72846

CVE ID: CVE-2010-4651
CVE-2014-9637
CVE-2015-1196
CVE-2015-1395
CVE-2015-1396

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now