CVE-2019-13638

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2019-13638

CGA ID

CGA-h9fg-vmqh-cgmw

Severity

Unknown

Description

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

References

https://images.chainguard.dev/security/CGA-h9fg-vmqh-cgmw
https://github.com/advisories/GHSA-vqpq-8jvg-rwmx
https://access.redhat.com/errata/RHSA-2019:2798
https://access.redhat.com/errata/RHSA-2019:2964
https://access.redhat.com/errata/RHSA-2019:3757
https://access.redhat.com/errata/RHSA-2019:3758
https://access.redhat.com/errata/RHSA-2019:4061
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
https://security.gentoo.org/glsa/201908-22
https://security.netapp.com/advisory/ntap-20190828-0001/
https://www.debian.org/security/2019/dsa-4489
https://seclists.org/bugtraq/2019/Jul/54
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
https://github.com/irsl/gnu-patch-vulnerabilities
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/
https://seclists.org/bugtraq/2019/Aug/29
https://security-tracker.debian.org/tracker/CVE-2019-13638
https://security.alpinelinux.org/vuln/CVE-2019-13638

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CVE-2019-13638

Severity

Description

References

Affected packages

Products

Why Chainguard

Customers

Company

Resources