CVE-2018-1000156

Public on 2018-05-10
Modified on 2018-05-10
Description
GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.
Severity
Important
CVSS v3 Base Score
7.8
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 patch 2018-05-10 17:06 ALAS2-2018-1008
Amazon Linux 1 patch 2018-05-10 16:52 ALAS-2018-1008

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
NVD CVSSv3 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H