A vulnerability was found in GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156. Reference: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
Created patch tracking bugs for this issue: Affects: fedora-all [bug 1733917]
During patch file processing, patch application calls the 'ed' file editor. As the invocation was done using a shell command to spawn an ed processm patch was susceptible to command injection via crafted patch files. An attacker may use this weakness to run arbitrary shell command when the user is applying patch files.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2798 https://access.redhat.com/errata/RHSA-2019:2798
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13638
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2964 https://access.redhat.com/errata/RHSA-2019:2964
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:3757 https://access.redhat.com/errata/RHSA-2019:3757
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2019:3758 https://access.redhat.com/errata/RHSA-2019:3758
The version of patch shipped with Red Hat Enterprise Linux 6 is not affected. The vulnerability was introduced on upstream's patch version 2.7 while RHEL6 ships version 2.6.x from patch.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2019:4061 https://access.redhat.com/errata/RHSA-2019:4061
Statement: Red Hat Enterprise Linux 6 is not affected by this vulnerability as the shipped version of patch did not carry the code that introduced this flaw.