diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 13 |
1 files changed, 12 insertions, 1 deletions
@@ -1,3 +1,14 @@ +2011-02-01 Jim Meyering <meyering@redhat.com> + and Andreas Gruenbacher <agruen@linbit.com> + + Do not let a malicious patch create files above current directory + This addresses CVE-2010-4651, reported by Jakub Wilk. + https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651 + * src/util.c (strip_leading_slashes): Reject absolute file names and + file names containing a component of "..". + * tests/bad-filenames: New file. Test for this. + * tests/Makefile.am (TESTS): Add it. + 2010-12-04 Andreas Gruenbacher <agruen@linbit.com> * src/util.c (make_tempfile): Create missing directories when @@ -3594,7 +3605,7 @@ Sun Dec 17 17:29:48 1989 Jim Kingdon (kingdon at hobbes.ai.mit.edu) Copyright (C) 1984, 1985, 1986, 1987, 1988 Larry Wall. Copyright (C) 1989, 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001, -2002, 2009, 2010 Free Software Foundation, Inc. +2002, 2009, 2010, 2011 Free Software Foundation, Inc. This file is part of GNU Patch. |