CVE-2018-1000156
published 2018-04-06CVE-2018-1000156: GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can…
high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.
Affected
61 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | patch | < patch 2.7.6-5 (bookworm) | patch 2.7.6-5 (bookworm) |
| debian | patch | < patch 2.7.6-2 (bookworm) | patch 2.7.6-2 (bookworm) |
| gnu | patch | — | — |
| gnu | patch | >= 0 < 2.7.6-5 | 2.7.6-5 |
| gnu | patch | >= 0 < 2.7.6-2 | 2.7.6-2 |
| gnu | patch | >= 0 < 2.7.6-5 | 2.7.6-5 |
| gnu | patch | >= 0 < 2.7.6-2 | 2.7.6-2 |
| gnu | patch | >= 0 < 2.7.6-5 | 2.7.6-5 |
| gnu | patch | >= 0 < 2.7.6-2 | 2.7.6-2 |
| gnu | patch | >= 0 < 2.7.6-5 | 2.7.6-5 |
| gnu | patch | >= 0 < 2.7.6-2 | 2.7.6-2 |
| gnu | patch | >= 0 < 2.7.1-4ubuntu2.4 | 2.7.1-4ubuntu2.4 |
| gnu | patch | >= 0 < 2.7.5-1ubuntu0.16.04.1 | 2.7.5-1ubuntu0.16.04.1 |
| msrc | azl3_patch_2.7.6-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_patch_2.7.6-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH