Lucene search

DebianDEBIAN:DSA-4489-1:AF3D9

HistoryJul 27, 2019 - 5:46 p.m.

[SECURITY] [DSA 4489-1] patch security update

2019-07-2717:46:40

lists.debian.org

243

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.021

Percentile

89.3%

JSON

Debian Security Advisory DSA-4489-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
July 27, 2019 https://www.debian.org/security/faq

Package : patch
CVE ID : CVE-2019-13636 CVE-2019-13638
Debian Bug : 932401 933140

Imre Rad discovered several vulnerabilities in GNU patch, leading to
shell command injection or escape from the working directory and access
and overwrite files, if specially crafted patch files are processed.

This update includes a bugfix for a regression introduced by the patch
to address CVE-2018-1000156 when applying an ed-style patch (#933140).

For the oldstable distribution (stretch), these problems have been fixed
in version 2.7.5-1+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 2.7.6-3+deb10u1.

We recommend that you upgrade your patch packages.

For the detailed security status of patch please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/patch

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian9allpatch< 2.7.5-1+deb9u2patch_2.7.5-1+deb9u2_all.deb
Debian10arm64patch< 2.7.6-3+deb10u1patch_2.7.6-3+deb10u1_arm64.deb
Debian10arm64patch-dbgsym< 2.7.6-3+deb10u1patch-dbgsym_2.7.6-3+deb10u1_arm64.deb
Debian9amd64patch< 2.7.5-1+deb9u2patch_2.7.5-1+deb9u2_amd64.deb
Debian10allpatch< 2.7.6-3+deb10u1patch_2.7.6-3+deb10u1_all.deb
Debian10amd64patch-dbgsym< 2.7.6-3+deb10u1patch-dbgsym_2.7.6-3+deb10u1_amd64.deb
Debian10i386patch-dbgsym< 2.7.6-3+deb10u1patch-dbgsym_2.7.6-3+deb10u1_i386.deb
Debian9mips64elpatch< 2.7.5-1+deb9u2patch_2.7.5-1+deb9u2_mips64el.deb
Debian9mipselpatch< 2.7.5-1+deb9u2patch_2.7.5-1+deb9u2_mipsel.deb
Debian10armelpatch-dbgsym< 2.7.6-3+deb10u1patch-dbgsym_2.7.6-3+deb10u1_armel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	patch	< 2.7.5-1+deb9u2	patch_2.7.5-1+deb9u2_all.deb
Debian	10	arm64	patch	< 2.7.6-3+deb10u1	patch_2.7.6-3+deb10u1_arm64.deb
Debian	10	arm64	patch-dbgsym	< 2.7.6-3+deb10u1	patch-dbgsym_2.7.6-3+deb10u1_arm64.deb
Debian	9	amd64	patch	< 2.7.5-1+deb9u2	patch_2.7.5-1+deb9u2_amd64.deb
Debian	10	all	patch	< 2.7.6-3+deb10u1	patch_2.7.6-3+deb10u1_all.deb
Debian	10	amd64	patch-dbgsym	< 2.7.6-3+deb10u1	patch-dbgsym_2.7.6-3+deb10u1_amd64.deb
Debian	10	i386	patch-dbgsym	< 2.7.6-3+deb10u1	patch-dbgsym_2.7.6-3+deb10u1_i386.deb
Debian	9	mips64el	patch	< 2.7.5-1+deb9u2	patch_2.7.5-1+deb9u2_mips64el.deb
Debian	9	mipsel	patch	< 2.7.5-1+deb9u2	patch_2.7.5-1+deb9u2_mipsel.deb
Debian	10	armel	patch-dbgsym	< 2.7.6-3+deb10u1	patch-dbgsym_2.7.6-3+deb10u1_armel.deb