Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2018-1000156 - log back

CVE-2018-1000156 created at 25 Sep 2019 19:31:40

Severity

+

High

Remote

+

Local

Type

+	Arbitrary command execution

Description

+

An arbitrary command execution vulnerability has been found in patch versions prior to 2.7.7 when applying ed-style patches. Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch to pass certain ed scripts to the ed editor, which would run commands. This issue could be exploited to execute arbitrary commands as the user invoking patch against a specially crafted patch file, which could be leveraged to obtain elevated privileges.

References

+	https://savannah.gnu.org/bugs/?53566
+	https://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
+	https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0

Notes