7.8

CVE-2018-1000156

GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.56% 0.918
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://rachelbythebay.com/w/2018/04/05/bangpatch/
Third Party Advisory
https://usn.ubuntu.com/3624-1/
Third Party Advisory
https://usn.ubuntu.com/3624-2/
Third Party Advisory
https://security.gentoo.org/glsa/201904-17
Third Party Advisory
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
https://access.redhat.com/errata/RHSA-2018:1199
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1200
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2091
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2092
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2093
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2094
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2095
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2096
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2097
Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667#19
Third Party Advisory
Issue Tracking
https://lists.debian.org/debian-lts-announce/2018/04/msg00013.html
Third Party Advisory
Mailing List
https://savannah.gnu.org/bugs/index.php?53566
Vendor Advisory
https://seclists.org/bugtraq/2019/Aug/29
https://seclists.org/bugtraq/2019/Jul/54
https://twitter.com/kurtseifried/status/982028968877436928
Third Party Advisory
https://web.archive.org/web/20180405231329/https://twitter.com/kurtseifried/status/982028968877436928