Vulnerabilities > CVE-2019-13638 - OS Command Injection vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
gnu
debian
CWE-78
nessus

Summary

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

Vulnerable Configurations

Part Description Count
Application
Gnu
1
OS
Debian
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Nessus

  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0253_PATCH.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has patch packages installed that are affected by multiple vulnerabilities: - An issue was discovered in GNU patch before 2.7.6. Out- of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file. (CVE-2016-10713) - A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6. (CVE-2018-6952) - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156. (CVE-2019-13638) - do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter. (CVE-2018-20969) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132496
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132496
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : patch Multiple Vulnerabilities (NS-SA-2019-0253)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0253. The text
    # itself is copyright (C) ZTE, Inc.
    
    include('compat.inc');
    
    if (description)
    {
      script_id(132496);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id(
        "CVE-2016-10713",
        "CVE-2018-6952",
        "CVE-2018-20969",
        "CVE-2019-13638"
      );
      script_bugtraq_id(103047, 103063);
    
      script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : patch Multiple Vulnerabilities (NS-SA-2019-0253)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has patch packages installed that are affected by
    multiple vulnerabilities:
    
      - An issue was discovered in GNU patch before 2.7.6. Out-
        of-bounds access within pch_write_line() in pch.c can
        possibly lead to DoS via a crafted input file.
        (CVE-2016-10713)
    
      - A double free exists in the another_hunk function in
        pch.c in GNU patch through 2.7.6. (CVE-2018-6952)
    
      - GNU patch through 2.7.6 is vulnerable to OS shell
        command injection that can be exploited by opening a
        crafted patch file that contains an ed style diff
        payload with shell metacharacters. The ed editor does
        not need to be present on the vulnerable system. This is
        different from CVE-2018-1000156. (CVE-2019-13638)
    
      - do_ed_script in pch.c in GNU patch through 2.7.6 does
        not block strings beginning with a ! character. NOTE:
        this is the same commit as for CVE-2019-13638, but the !
        syntax is specific to ed, and is unrelated to a shell
        metacharacter. (CVE-2018-20969)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0253");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL patch packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-13638");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.05" &&
        release !~ "CGSL MAIN 5.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.05": [
        "patch-2.7.1-12.el7_7",
        "patch-debuginfo-2.7.1-12.el7_7"
      ],
      "CGSL MAIN 5.05": [
        "patch-2.7.1-12.el7_7",
        "patch-debuginfo-2.7.1-12.el7_7"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "patch");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2964.NASL
    descriptionAn update for patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es) : * patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129576
    published2019-10-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129576
    titleRHEL 7 : patch (RHSA-2019:2964)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20191003_PATCH_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) - patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2019-10-04
    plugin id129577
    published2019-10-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129577
    titleScientific Linux Security Update : patch on SL7.x x86_64 (20191003)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1317.NASL
    descriptiondo_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638 , but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969) GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156 .(CVE-2019-13638) A heap-based out-of-bounds read flaw was found in the way the patch utility parsed patch files. An attacker could potentially use this flaw to crash the patch utility by tricking it into processing crafted patch files.(CVE-2016-10713) A double-free flaw was found in the way the patch utility processed patch files. An attacker could potentially use this flaw to crash the patch utility by tricking it into processing crafted patches.(CVE-2018-6952)
    last seen2020-06-01
    modified2020-06-02
    plugin id130214
    published2019-10-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130214
    titleAmazon Linux 2 : patch (ALAS-2019-1317)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4071-1.NASL
    descriptionIt was discovered that Patch incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information. (CVE-2019-13636) It was discovered that Patch incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-13638). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127042
    published2019-07-25
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127042
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 : patch vulnerabilities (USN-4071-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1346.NASL
    descriptionAccording to the versions of the python3 packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker
    last seen2020-04-07
    modified2020-04-02
    plugin id135133
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135133
    titleEulerOS Virtualization for ARM 64 3.0.6.0 : python3 (EulerOS-SA-2020-1346)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1864.NASL
    descriptionAn issue with quoting has been found in patch, a tool to apply a diff file to an original, when invoking ed. In order to avoid this, ed is now directly started instead of calling a shell which starts ed. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id127076
    published2019-07-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127076
    titleDebian DLA-1864-1 : patch security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2798.NASL
    descriptionAn update for patch is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es) : * patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129038
    published2019-09-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129038
    titleRHEL 8 : patch (RHSA-2019:2798)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201908-22.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201908-22 (Patch: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Patch. Please review the CVE identifiers referenced below for details. Impact : A local attacker could pass a specially crafted diff file to Patch, possibly resulting in a Denial of Service condition or arbitrary code execution. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id127971
    published2019-08-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127971
    titleGLSA-201908-22 : Patch: Multiple vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1022.NASL
    descriptionAccording to the versions of the patch package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969) - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.(CVE-2019-13638) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2020-01-02
    plugin id132615
    published2020-01-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132615
    titleEulerOS 2.0 SP8 : patch (EulerOS-SA-2020-1022)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1312.NASL
    descriptiondo_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638 , but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969) GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156 . (CVE-2019-13638) A heap-based out-of-bounds read flaw was found in the way the patch utility parsed patch files. An attacker could potentially use this flaw to crash the patch utility by tricking it into processing crafted patch files.(CVE-2016-10713) A double-free flaw was found in the way the patch utility processed patch files. An attacker could potentially use this flaw to crash the patch utility by tricking it into processing crafted patches.(CVE-2018-6952)
    last seen2020-06-01
    modified2020-06-02
    plugin id130282
    published2019-10-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130282
    titleAmazon Linux AMI : patch (ALAS-2019-1312)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-3_0-0025_PATCH.NASL
    descriptionAn update of the patch package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id128739
    published2019-09-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128739
    titlePhoton OS 3.0: Patch PHSA-2019-3.0-0025
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0223_PATCH.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has patch packages installed that are affected by multiple vulnerabilities: - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156. (CVE-2019-13638) - do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter. (CVE-2018-20969) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id131420
    published2019-12-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131420
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : patch Multiple Vulnerabilities (NS-SA-2019-0223)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1065.NASL
    descriptionAccording to the versions of the patch package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.(CVE-2019-13638) - do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id132819
    published2020-01-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132819
    titleEulerOS Virtualization for ARM 64 3.0.5.0 : patch (EulerOS-SA-2020-1065)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4489.NASL
    descriptionImre Rad discovered several vulnerabilities in GNU patch, leading to shell command injection or escape from the working directory and access and overwrite files, if specially crafted patch files are processed. This update includes a bugfix for a regression introduced by the patch to address CVE-2018-1000156 when applying an ed-style patch (#933140).
    last seen2020-06-01
    modified2020-06-02
    plugin id127102
    published2019-07-29
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127102
    titleDebian DSA-4489-1 : patch - security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2219.NASL
    descriptionAccording to the versions of the patch package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969) - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.(CVE-2019-13638) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-08
    plugin id130681
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130681
    titleEulerOS 2.0 SP5 : patch (EulerOS-SA-2019-2219)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3758.NASL
    descriptionAn update for patch is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es) : * patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id130744
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130744
    titleRHEL 7 : patch (RHSA-2019:3758)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2798.NASL
    descriptionFrom Red Hat Security Advisory 2019:2798 : An update for patch is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es) : * patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129086
    published2019-09-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129086
    titleOracle Linux 8 : patch (ELSA-2019-2798)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0172_PATCH.NASL
    descriptionAn update of the patch package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id128712
    published2019-09-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128712
    titlePhoton OS 2.0: Patch PHSA-2019-2.0-0172
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1225.NASL
    descriptionAccording to the versions of the patch package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file.(CVE-2016-10713) - GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file.(CVE-2014-9637) - GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.(CVE-2015-1196) - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.(CVE-2019-13638) - do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-19
    modified2020-03-13
    plugin id134514
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134514
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : patch (EulerOS-SA-2020-1225)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2964.NASL
    descriptionFrom Red Hat Security Advisory 2019:2964 : An update for patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es) : * patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129574
    published2019-10-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129574
    titleOracle Linux 7 : patch (ELSA-2019-2964)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2645.NASL
    descriptionAccording to the versions of the patch package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file.(CVE-2016-10713) - do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969) - GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.(CVE-2015-1196) - GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file.(CVE-2014-9637) - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.(CVE-2019-13638) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-18
    plugin id132180
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132180
    titleEulerOS 2.0 SP3 : patch (EulerOS-SA-2019-2645)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2964.NASL
    descriptionAn update for patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es) : * patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id130176
    published2019-10-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130176
    titleCentOS 7 : patch (CESA-2019:2964)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3757.NASL
    descriptionAn update for patch is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es) : * patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id130743
    published2019-11-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130743
    titleRHEL 7 : patch (RHSA-2019:3757)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1446.NASL
    descriptionAccording to the versions of the patch package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.(CVE-2018-6952) - Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a .. (dot dot) in a diff file name.(CVE-2015-1395) - An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file.(CVE-2016-10713) - GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file.(CVE-2014-9637) - This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.(CVE-2015-1196) - GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.(CVE-2019-13638) - do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.(CVE-2018-20969) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-16
    plugin id135608
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135608
    titleEulerOS Virtualization 3.0.2.2 : patch (EulerOS-SA-2020-1446)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-4061.NASL
    descriptionAn update for patch is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file). Security Fix(es) : * patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id131676
    published2019-12-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131676
    titleRHEL 7 : patch (RHSA-2019:4061)

Redhat

advisories
  • bugzilla
    id1746672
    titleCVE-2018-20969 patch: do_ed_script in pch.c does not block strings beginning with a ! character
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commentpatch-debugsource is earlier than 0:2.7.6-9.el8_0
            ovaloval:com.redhat.rhsa:tst:20192798001
          • commentpatch-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20192798002
        • AND
          • commentpatch is earlier than 0:2.7.6-9.el8_0
            ovaloval:com.redhat.rhsa:tst:20192798003
          • commentpatch is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20181199002
    rhsa
    idRHSA-2019:2798
    released2019-09-19
    severityImportant
    titleRHSA-2019:2798: patch security update (Important)
  • bugzilla
    id1746672
    titleCVE-2018-20969 patch: do_ed_script in pch.c does not block strings beginning with a ! character
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • commentpatch is earlier than 0:2.7.1-12.el7_7
        ovaloval:com.redhat.rhsa:tst:20192964001
      • commentpatch is signed with Red Hat redhatrelease2 key
        ovaloval:com.redhat.rhsa:tst:20181199002
    rhsa
    idRHSA-2019:2964
    released2019-10-03
    severityImportant
    titleRHSA-2019:2964: patch security update (Important)
  • rhsa
    idRHSA-2019:3757
  • rhsa
    idRHSA-2019:3758
  • rhsa
    idRHSA-2019:4061
rpms
  • patch-0:2.7.6-9.el8_0
  • patch-debuginfo-0:2.7.6-9.el8_0
  • patch-debugsource-0:2.7.6-9.el8_0
  • patch-0:2.7.1-12.el7_7
  • patch-debuginfo-0:2.7.1-12.el7_7
  • patch-0:2.7.1-11.el7_5
  • patch-debuginfo-0:2.7.1-11.el7_5
  • patch-0:2.7.1-11.el7_6
  • patch-debuginfo-0:2.7.1-11.el7_6
  • patch-0:2.7.1-11.el7_4
  • patch-debuginfo-0:2.7.1-11.el7_4

References