Published: 17/07/2019 Updated: 07/11/2023

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

In GNU patch up to and including 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnu patch

Debian Bug report logs - #932401 patch: CVE-2019-13636 Package: src:patch; Maintainer for src:patch is Laszlo Boszormenyi (GCS) <gcs@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 18 Jul 2019 19:30:16 UTC Severity: grave Tags: security, upstream Found in versions patch/276-4, patch/2 ...

Several security issues were fixed in Patch ...

Synopsis Moderate: patch security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for patch is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base s ...

Synopsis Moderate: OpenShift Container Platform 461 image security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat OpenShift Container Platform 46Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability S ...

Imre Rad discovered several vulnerabilities in GNU patch, leading to shell command injection or escape from the working directory and access and overwrite files, if specially crafted patch files are processed This update includes a bugfix for a regression introduced by the patch to address CVE-2018-1000156 when applying an ed-style patch (#933140) ...

In GNU patch through 276, the following of symlinks is mishandled in certain cases other than input files This affects inpc and utilc (CVE-2019-13636) ...

Impact: Moderate Public Date: 2019-07-24 CWE: CWE-59 Bugzilla: 1732781: CVE-2019-13636 patch: the follo ...

The GNU patch utility was prone vulnerable to multiple attacks through version 2.7.6. You can find my related PoC files here.

GNU patch vulnerabilities I identified several vulnerabilities in the GNU patch utility, some of them making it possible to execute arbitrary code if the victim opens a crafted patch file It also turned out, some of these vulnerabilities had been silently addressed by the maintainer back then in 2018 when CVE-2018-1000156 was reported by pushing some additional commits the sam

CWE-59 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a https://lists.debian.org/debian-lts-announce/2019/07/msg00016.html https://usn.ubuntu.com/4071-1/https://usn.ubuntu.com/4071-2/https://www.debian.org/security/2019/dsa-4489 https://seclists.org/bugtraq/2019/Jul/54 https://seclists.org/bugtraq/2019/Aug/29 http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html https://security.gentoo.org/glsa/201908-22 https://security.netapp.com/advisory/ntap-20190828-0001/https://github.com/irsl/gnu-patch-vulnerabilities https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932401 https://nvd.nist.gov https://usn.ubuntu.com/4071-1/

CVE-2019-13636

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect