CVE-2019-13638
Summary
| CVE | CVE-2019-13638 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-07-26 13:15:00 UTC |
| Updated | 2023-11-07 03:03:00 UTC |
| Description | GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156. |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Gnu | Patch | 2.7.6 | All | All | All |
| Application | Gnu | Patch | 2.7.6 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2019-13638 | MISC | security-tracker.debian.org | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| [SECURITY] Fedora 30 Update: patch-2.7.6-11.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| August 2019 GNU patch Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Debian -- Security Information -- DSA-4489-1 patch | DEBIAN | www.debian.org | Third Party Advisory |
| Bugtraq: Details about recent GNU patch vulnerabilities | BUGTRAQ | seclists.org | |
| Bugtraq: [SECURITY] [DSA 4489-1] patch security update | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| GitHub - irsl/gnu-patch-vulnerabilities: The GNU patch utility was prone vulnerable to multiple attacks through version 2.7.6. You can find my related PoC files here. | MISC | github.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| patch.git - GNU patch | MISC | git.savannah.gnu.org | Mailing List, Patch, Vendor Advisory |
| [SECURITY] Fedora 30 Update: patch-2.7.6-11.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Patch: Multiple vulnerabilities (GLSA 201908-22) — Gentoo security | GENTOO | security.gentoo.org | |
| GNU patch Command Injection / Directory Traversal ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 296079 Oracle Solaris 11.4 Support Repository Update (SRU) 15.5.0 Missing (CPUOCT2019)
- 377009 Alibaba Cloud Linux Security Update for patch (ALINUX2-SA-2019:0114)
- 378297 Virtuozzo Linux Security Update for patch (VZLSA-2019:2964)
- 500513 Alpine Linux Security Update for patch
- 504272 Alpine Linux Security Update for patch
- 671067 EulerOS Security Update for patch (EulerOS-SA-2019-2645)
- 900088 CBL-Mariner Linux Security Update for patch 2.7.6
- 901475 Common Base Linux Mariner (CBL-Mariner) Security Update for patch (6790-1)
- 903211 Common Base Linux Mariner (CBL-Mariner) Security Update for patch (2563)
- 906212 Common Base Linux Mariner (CBL-Mariner) Security Update for patch (2563-1)
- 906275 Common Base Linux Mariner (CBL-Mariner) Security Update for patch (6790-2)