Input Validation Flaw in GNU Patch Leading to Code Execution
CVE-2018-1000156

7.8HIGH

Key Information:

Vendor
Gnu
Status
Patch
Vendor
CVE Published:
6 April 2018

Summary

GNU Patch version 2.7.6 has a significant input validation issue when handling patch files. This vulnerability occurs specifically during the invocation of the EDITOR_PROGRAM (using 'ed'), which can be exploited to execute arbitrary code. An attacker can craft a malicious patch file that, when processed by the patch utility, could allow the execution of unexpected code in the system. Although resembling a prior issue documented in FreeBSD, the code bases have developed differences over time, presenting unique risks in this instance.

References

https://savannah.gnu.org/bugs/index.php?53566
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2018/04/msg0...
mailing-listx_refsource_MLIST
https://usn.ubuntu.com/3624-2/
vendor-advisoryx_refsource_UBUNTU

EPSS Score

44% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.