CVE-2019-13638
Published: 22 July 2019
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
Priority
Status
Package | Release | Status |
---|---|---|
patch Launchpad, Ubuntu, Debian |
bionic |
Released
(2.7.6-2ubuntu1.1)
|
disco |
Released
(2.7.6-3ubuntu0.1)
|
|
trusty |
Released
(2.7.1-4ubuntu2.4+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(2.7.6-5)
|
|
xenial |
Released
(2.7.5-1ubuntu0.16.04.2)
|
|
Patches: upstream: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |