CVE-2018-1000156

Source
Severity High
Remote No
Type Arbitrary command execution
Description
An arbitrary command execution vulnerability has been found in patch before 2.7.7 when applying ed-style patches. Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch to pass certain ed scripts to the ed editor, which would run commands. This issue could be exploited to execute arbitrary commands as the user invoking patch against a specically crafted patch file, which could be leveraged to obtain elevated privileges.
Group Package Affected Fixed Severity Status Ticket
AVG-668 patch 2.7.6-1 High Vulnerable
References
http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
https://savannah.gnu.org/bugs/?53566