CVE-2021-45261
https://notcve.org/view.php?id=CVE-2021-45261
An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service. Se presenta una vulnerabilidad de Puntero no Válido en GNU patch versión 2.7, por medio de la función another_hunk, que causa una denegación de servicio • https://savannah.gnu.org/bugs/?61685 • CWE-763: Release of Invalid Pointer or Reference •
CVE-2019-20633
https://notcve.org/view.php?id=CVE-2019-20633
GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952. El parche de GNU versiones hasta 2.7.6, contiene una vulnerabilidad de Doble Liberación en free(p_line [p_end]) en la función another_hunk en el archivo pch.c, que puede causar una denegación de servicio por medio de un archivo de parche diseñado. NOTA: este problema se presenta debido a una corrección incompleta para CVE-2018-6952. • https://savannah.gnu.org/bugs/index.php?56683 • CWE-415: Double Free •
CVE-2018-20969 – patch: do_ed_script in pch.c does not block strings beginning with a ! character
https://notcve.org/view.php?id=CVE-2018-20969
do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter. La función do_ed_script en el archivo pch.c en el parche GNU versiones hasta 2.7.6 no bloquea cadenas que comienzan con un carácter !. • http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html https://access.redhat.com/errata/RHSA-2019:2798 https://access.redhat.com/errata/RHSA-2019:2964 https://access.redhat.com/errata/RHSA-2019:3757 https://access.redhat.com/errata/RHSA-2019:3758 https://access.redhat.com/errata/RHSA-2019:4061 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 https://github.com/irsl/gnu-patch-vulnerabilities https://seclists. • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-13638 – patch: OS shell command injection when processing crafted patch files
https://notcve.org/view.php?id=CVE-2019-13638
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156. RouterOS de Mikrotik anterior a versión 6.44.5 (árbol de actualizaciones a largo plazo) es vulnerable al agotamiento de la memoria. Mediante el envío de una petición HTTP diseñada, un atacante remoto autenticado puede bloquear el servidor HTTP y, en algunas circunstancias, reiniciar el sistema. • http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html https://access.redhat.com/errata/RHSA-2019:2798 https://access.redhat.com/errata/RHSA-2019:2964 https://access.redhat.com/errata/RHSA-2019:3757 https://access.redhat.com/errata/RHSA-2019:3758 https://access.redhat.com/errata/RHSA-2019:4061 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 https://github.com/irsl/gnu-patch-vulnerabilities https://lists.fe • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-13636 – patch: the following of symlinks in inp.c and util.c is mishandled in cases other than input files
https://notcve.org/view.php?id=CVE-2019-13636
In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. En GNU parche hasta 2.7.6, el seguimiento de los enlaces simbólicos es manejado inapropiadamente en determinados casos diferentes a los archivos de entrada. Esto afecta a los archivos inp.c y util.c. GNU patch suffers from command injection and various other vulnerabilities when handling specially crafted patch files. • http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a https://github.com/irsl/gnu-patch-vulnerabilities https://lists.debian.org/debian-lts-announce/2019/07/msg00016.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT https://seclists.org/bugtraq/2019/Aug/29 https://seclists.org/bugtraq/2019/Jul/54 https& • CWE-59: Improper Link Resolution Before File Access ('Link Following') •