Fedora Security Update Fixes Patch Directory Traversal File Creation


Description   A vulnerability has been identified in Fedora, which could be exploited by attackers to create arbitrary files. This issue is caused by an input validation error in the Patch utility when handling path names, which could allow attackers to create arbitrary files in arbitrary locations via a directory traversal by tricking a user into installing a malicious patch.
     
Vulnerable Products   Vulnerable Software:
Fedora 14Fedora 13
     
Solution   Upgrade the affected package (patch) : http://docs.fedoraproject.org/yum/
     
CVE   CVE-2010-4651
     
References   http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055241.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055246.html
https://bugzilla.redhat.com/show_bug.cgi?id=667529
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2011-03-08 

 Target Type 
Server 

 Possible exploit 
Local & Remote