CVE-2019-13636

Name

CVE-2019-13636

Description

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

Exploits

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
Mailing List	https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a
Third Party Advisory	https://lists.debian.org/debian-lts-announce/2019/07/msg00016.html
UBUNTU	https://usn.ubuntu.com/4071-1/
UBUNTU	https://usn.ubuntu.com/4071-2/
DEBIAN	https://www.debian.org/security/2019/dsa-4489
BUGTRAQ	https://seclists.org/bugtraq/2019/Jul/54
BUGTRAQ	https://seclists.org/bugtraq/2019/Aug/29
MISC	http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
GENTOO	https://security.gentoo.org/glsa/201908-22
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/
CONFIRM	https://security.netapp.com/advisory/ntap-20190828-0001/
MISC	https://github.com/irsl/gnu-patch-vulnerabilities

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gnu:patch::::::::`	patch	>= None	<= 2.7.6

Source package	Branch	Version	Maintainer	Status
patch	edge-main	2.7.6-r10	Natanael Copa <ncopa@alpinelinux.org>	fixed
patch	3.21-main	2.7.6-r10	Natanael Copa <ncopa@alpinelinux.org>	fixed
patch	3.20-main	2.7.6-r10	Natanael Copa <ncopa@alpinelinux.org>	fixed
patch	3.19-main	2.7.6-r10	Natanael Copa <ncopa@alpinelinux.org>	fixed
patch	3.18-main	2.7.6-r10	Natanael Copa <ncopa@alpinelinux.org>	fixed
patch	3.17-main	2.7.6-r9	Natanael Copa <ncopa@alpinelinux.org>	fixed
patch	3.12-main	2.7.6-r7	Natanael Copa <ncopa@alpinelinux.org>	fixed
patch	3.11-main	2.7.6-r7	Natanael Copa <ncopa@alpinelinux.org>	fixed