CVE-2018-20969

patch: do_ed_script in pch.c does not block strings beginning with a ! character

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.

La función do_ed_script en el archivo pch.c en el parche GNU versiones hasta 2.7.6 no bloquea cadenas que comienzan con un carácter !. NOTA: este es el mismo commit para CVE-2019-13638, pero la sintaxis ! es específica para ed y no está relacionada con un metacarácter de shell.

A flaw was found in GNU patch through version 2.7.6. Strings beginning with a exclamation mark are not blocked by default. When ed receives an exclamation mark-prefixed command line argument, the argument is executed as a shell command. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

The patch program applies diff files to originals. The diff command is used to compare an original to a changed file. Diff lists the changes made to the file. A person who has the original file can then use the patch command with the diff file to add the changes to their original file. Issues addressed include a code execution vulnerability.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-08-15 CVE Reserved
2019-08-16 CVE Published
2019-08-16 First Exploit
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (12)

URL	Tag	Source
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html	Third Party Advisory
https://github.com/irsl/gnu-patch-vulnerabilities	X_refsource_misc

URL	Date	SRC
https://packetstorm.news/files/id/154124	2019-08-16
https://seclists.org/bugtraq/2019/Aug/29	2024-08-05

URL	Date	SRC
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0	2019-09-05

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:2798	2019-09-05
https://access.redhat.com/errata/RHSA-2019:2964	2019-09-05
https://access.redhat.com/errata/RHSA-2019:3757	2019-09-05
https://access.redhat.com/errata/RHSA-2019:3758	2019-09-05
https://access.redhat.com/errata/RHSA-2019:4061	2019-09-05
https://access.redhat.com/security/cve/CVE-2018-20969	2019-12-03
https://bugzilla.redhat.com/show_bug.cgi?id=1746672	2019-12-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gnu Search vendor "Gnu"		Patch Search vendor "Gnu" for product "Patch"				<= 2.7.6 Search vendor "Gnu" for product "Patch" and version " <= 2.7.6"		-		Affected