MGASA-2020-0093

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2020-0093.html
Import Source
https://advisories.mageia.org/MGASA-2020-0093.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2020-0093
Related
Published
2020-02-21T23:06:01Z
Modified
2020-02-21T22:38:49Z
Summary
Updated patch packages fix security vulnerabilities
Details

Updated patch package fixes security vulnerabilities:

  • In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. (CVE-2019-13636).

  • A vulnerability was found in GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters (CVE-2019-13638).

  • A vulnerability was found in doedscript in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter (CVE-2018-20969).

References
Credits

Affected packages

Mageia:7 / patch

Package

Name
patch
Purl
pkg:rpm/mageia/patch?distro=mageia-7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.6-4.1.mga7

Ecosystem specific 

{
    "section": "core"
}