Updated patch packages fix security vulnerabilities
Publication date: 21 Feb 2020Modification date: 21 Feb 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-13636 , CVE-2019-13638 , CVE-2018-20969
Description
Updated patch package fixes security vulnerabilities:
* In GNU patch through 2.7.6, the following of symlinks is mishandled
in certain cases other than input files. (CVE-2019-13636).
* A vulnerability was found in GNU patch through 2.7.6 is vulnerable to
OS shell command injection that can be exploited by opening a crafted
patch file that contains an ed style diff payload with shell
metacharacters (CVE-2019-13638).
* A vulnerability was found in do_ed_script in pch.c in GNU patch through
2.7.6 does not block strings beginning with a ! character. NOTE: this
is the same commit as for CVE-2019-13638, but the ! syntax is specific to
ed, and is unrelated to a shell metacharacter (CVE-2018-20969).
References
- https://bugs.mageia.org/show_bug.cgi?id=25279
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/
- https://access.redhat.com/errata/RHSA-2019:2798
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13636
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13638
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20969
SRPMS
7/core
- patch-2.7.6-4.1.mga7