patch-2.7.1-12.el7
エラータID: AXSA:2019-4344:02
リリース日:
2019/10/23 Wednesday - 08:41
題名:
patch-2.7.1-12.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
[Security Fix]
- GNU patchには、 a! で始まる文字列をブロックしない脆弱性があります。
(CVE- 2018-20969)
- GNU patchには、シェルのメタ文字を含む ed スタイルの diff ペイロードを
開かせることで、シェルコマンドの挿入が可能な脆弱性があります。
(CVE-2019-13638)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2018-20969
do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.
do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.
CVE-2019-13638
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
追加情報:
N/A
ダウンロード:
SRPMS
- patch-2.7.1-12.el7.src.rpm
MD5: 941123dac97d0d3b71d507605d7fb9d2
SHA-256: 74b1fc46a743b01e2718f2e4d6d96ca3d2a79a7613207ce801f0aca25d5f34e3
Size: 685.64 kB
Asianux Server 7 for x86_64
- patch-2.7.1-12.el7.x86_64.rpm
MD5: 10baebb2fc133a8f50ba470d19084250
SHA-256: 1c0870a9387ee214b46caa988db3218d36f2dc66a36c77ab6562b9b0261c46e7
Size: 109.60 kB
English