CVE-2018-1000156 - log back

CVE-2018-1000156 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary command execution
Description
+ An arbitrary command execution vulnerability has been found in patch versions prior to 2.7.7 when applying ed-style patches. Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch to pass certain ed scripts to the ed editor, which would run commands. This issue could be exploited to execute arbitrary commands as the user invoking patch against a specially crafted patch file, which could be leveraged to obtain elevated privileges.
References
+ https://savannah.gnu.org/bugs/?53566
+ https://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d
+ https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
Notes