Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1348-1 patch

Debian Security Advisory

DLA-1348-1 patch -- LTS security update

Date Reported:

16 Apr 2018

Affected Packages:

patch

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-1000156.

More information:

It was discovered that there was an input validation vulnerability in the patch(1) utility where an ed(1) script embedded in a regular input file could result in arbitrary code execution. This was reported by Rachel Kroll [0] et al.

For Debian 7 Wheezy, this issue has been fixed in patch version 2.6.1-3+deb7u1.

We recommend that you upgrade your patch packages.

[0] https://rachelbythebay.com/w/2018/04/05/bangpatch/