CVE-2018-1000156 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	No
Type	Arbitrary command execution
Description	An arbitrary command execution vulnerability has been found in patch versions prior to 2.7.7 when applying ed-style patches. Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch to pass certain ed scripts to the ed editor, which would run commands. This issue could be exploited to execute arbitrary commands as the user invoking patch against a specially crafted patch file, which could be leveraged to obtain elevated privileges.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-808	patch	2.7.6-3	2.7.6-7	High	Fixed	FS#57526
AVG-619	patch	2.7.6-1	2.7.6-3	High	Fixed	FS#57526

Date	Advisory	Group	Package	Severity	Type
12 Nov 2018	ASA-201811-14	AVG-808	patch	High	multiple issues
09 Oct 2018	ASA-201810-8	AVG-619	patch	High	multiple issues

References
https://savannah.gnu.org/bugs/?53566 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0

References

https://savannah.gnu.org/bugs/?53566
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0