CVE-2018-1000156: Input Validation

First published: Fri Apr 06 2018(Updated: )

GNU patch does not properly sanitize patch files allowing for malicious patches to pass arbitrary shell commands to ed. An attacker could exploit this by tricking a user into applying malicious patches with the patch command.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
GNU patch	=2.7.6
Canonical Ubuntu Linux	=12.04
Canonical Ubuntu Linux	=14.04
Canonical Ubuntu Linux	=16.04
Canonical Ubuntu Linux	=17.10
Debian Debian Linux	=7.0
Redhat Enterprise Linux Desktop	=6.0
Redhat Enterprise Linux Desktop	=7.0
Redhat Enterprise Linux Server	=6.0
Redhat Enterprise Linux Server	=7.0
Redhat Enterprise Linux Server Aus	=6.4
Redhat Enterprise Linux Server Aus	=6.5
Redhat Enterprise Linux Server Aus	=6.6
Redhat Enterprise Linux Server Aus	=7.2
Redhat Enterprise Linux Server Aus	=7.3
Redhat Enterprise Linux Server Aus	=7.4
Redhat Enterprise Linux Server Aus	=7.6
Redhat Enterprise Linux Server Eus	=6.7
Redhat Enterprise Linux Server Eus	=7.3
Redhat Enterprise Linux Server Eus	=7.4
Redhat Enterprise Linux Server Eus	=7.5
Redhat Enterprise Linux Server Eus	=7.6
Redhat Enterprise Linux Server Tus	=6.6
Redhat Enterprise Linux Server Tus	=7.2
Redhat Enterprise Linux Server Tus	=7.3
Redhat Enterprise Linux Server Tus	=7.4
Redhat Enterprise Linux Server Tus	=7.6
Redhat Enterprise Linux Workstation	=6.0
Redhat Enterprise Linux Workstation	=7.0
debian/patch		2.7.6-7

Remedy

http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d

Never miss a vulnerability like this again

Reference Links

collector/nvd-index
agent/type
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2018-1000156
agent/author
agent/remedy
agent/weakness
agent/severity
collector/security-tracker-debian
source/Debian
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
collector/usn-cve
source/Ubuntu
agent/references
agent/softwarecombine
agent/tags
agent/description
agent/first-publish-date
agent/event
collector/nvd-cve
source/NVD
agent/last-modified-date
agent/trending
vendor/gnu
canonical/gnu patch
version/gnu patch/2.7.6
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/12.04
version/canonical ubuntu linux/14.04
version/canonical ubuntu linux/16.04
version/canonical ubuntu linux/17.10
vendor/debian
canonical/debian debian linux
version/debian debian linux/7.0
vendor/redhat
canonical/redhat enterprise linux desktop
version/redhat enterprise linux desktop/6.0
version/redhat enterprise linux desktop/7.0
canonical/redhat enterprise linux server
version/redhat enterprise linux server/6.0
version/redhat enterprise linux server/7.0
canonical/redhat enterprise linux server aus
version/redhat enterprise linux server aus/6.4
version/redhat enterprise linux server aus/6.5
version/redhat enterprise linux server aus/6.6
version/redhat enterprise linux server aus/7.2
version/redhat enterprise linux server aus/7.3
version/redhat enterprise linux server aus/7.4
version/redhat enterprise linux server aus/7.6
canonical/redhat enterprise linux server eus
version/redhat enterprise linux server eus/6.7
version/redhat enterprise linux server eus/7.3
version/redhat enterprise linux server eus/7.4
version/redhat enterprise linux server eus/7.5
version/redhat enterprise linux server eus/7.6
canonical/redhat enterprise linux server tus
version/redhat enterprise linux server tus/6.6
version/redhat enterprise linux server tus/7.2
version/redhat enterprise linux server tus/7.3
version/redhat enterprise linux server tus/7.4
version/redhat enterprise linux server tus/7.6
canonical/redhat enterprise linux workstation
version/redhat enterprise linux workstation/6.0
version/redhat enterprise linux workstation/7.0
package-manager/debian

CVE-2018-1000156: Input Validation

Remedy

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact