Bug 1746672 (CVE-2018-20969)

Summary: CVE-2018-20969 patch: do_ed_script in pch.c does not block strings beginning with a ! character
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: than, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GNU patch through version 2.7.6. Strings beginning with a exclamation mark are not blocked by default. When ed receives an exclamation mark-prefixed command line argument, the argument is executed as a shell command. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-19 06:45:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1746673, 1747863, 1747864, 1747865, 1747866, 1759538, 1759539, 1759548, 1764222    
Bug Blocks: 1746675    

Description Dhananjay Arunesh 2019-08-29 05:53:34 UTC 
A vulnerability was found in do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.

Reference:
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
https://seclists.org/bugtraq/2019/Aug/29
Comment 1 Dhananjay Arunesh 2019-08-29 05:53:59 UTC 
Created patch tracking bugs for this issue:

Affects: fedora-all [bug 1746673]
Comment 3 errata-xmlrpc 2019-09-19 04:08:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2798 https://access.redhat.com/errata/RHSA-2019:2798
Comment 4 Product Security DevOps Team 2019-09-19 06:45:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20969
Comment 9 errata-xmlrpc 2019-10-03 14:04:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2964 https://access.redhat.com/errata/RHSA-2019:2964
Comment 15 errata-xmlrpc 2019-11-06 16:57:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:3757 https://access.redhat.com/errata/RHSA-2019:3757
Comment 16 errata-xmlrpc 2019-11-06 17:05:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3758 https://access.redhat.com/errata/RHSA-2019:3758
Comment 18 Marco Benatto 2019-11-20 12:56:19 UTC 
The version of patch shipped with Red Hat Enterprise Linux 6 is not affected. The vulnerability was introduced on upstream's patch version 2.7 while RHEL6 ships version 2.6.x from patch.
Comment 21 errata-xmlrpc 2019-12-03 11:00:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:4061 https://access.redhat.com/errata/RHSA-2019:4061
Comment 23 Eric Christensen 2020-05-04 15:43:55 UTC 
External References:

https://seclists.org/bugtraq/2019/Aug/29