patch: OS shell command injection vulnerability (CVE-2019-13638)
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2019-13638
Patch:
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
Affected branches:
-
master -
3.10-stable -
3.9-stable -
3.8-stable -
3.7-stable