CVE-2018-1000156

7.8HIGH

Key Information:

Vendor
Gnu
Status
Patch
Vendor
CVE Published:
6 April 2018

Summary

GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.

References

https://savannah.gnu.org/bugs/index.php?53566
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2018/04/msg0...
mailing-listx_refsource_MLIST
https://usn.ubuntu.com/3624-2/
vendor-advisoryx_refsource_UBUNTU

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.