4 matches found
CVE-2019-13638
CVE-2019-13638 affects GNU patch up to version 2.7.6. It enables OS shell command injection when processing a crafted patch file containing an ed-style diff payload with shell metacharacters; the ed editor need not be present on the target system. Multiple connected advisories confirm vulnerable ...
CVE-2018-20969
CVE-2018-20969 / CVE-2019-13638 (GNU patch) : The vulnerability resides in do_ed_script in pch.c of GNU patch up to version 2.7.6, where do_ed_script does not block strings starting with a ! character when using ed-style payloads. This is tied to an upstream commit shared with CVE-2019-13638 and ...
CVE-2019-13636
CVE-2019-13636 affects GNU patch; the vulnerability arises from mishandling of following symlinks in inp.c and util.c in certain cases beyond input files. Public references describe potential for arbitrary file access/overwrite and, per Debian, shell command injection or escape from the working d...
CVE-2015-1396
GNU patch before 2.7.4 is vulnerable to a directory-traversal via a symlink attack in a patch file, allowing remote write of arbitrary files. Root cause: incomplete fix for CVE-2015-1196. Affected: GNU patch (up to 2.7.3). Remediation: upgrade to 2.7.4 or later; no further details provided in the...