CVE-2019-13638
- Source
- https://cve.org/CVERecord?id=CVE-2019-13638
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13638.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-13638
- Downstream
- Related
- Published
- 2019-07-26T13:15:12.783Z
- Modified
- 2026-03-20T11:28:03.177742Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
- References
-
- https://seclists.org/bugtraq/2019/Aug/29
- http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/
- https://access.redhat.com/errata/RHSA-2019:2798
- https://access.redhat.com/errata/RHSA-2019:2964
- https://access.redhat.com/errata/RHSA-2019:3757
- https://seclists.org/bugtraq/2019/Jul/54
- https://security.gentoo.org/glsa/201908-22
- https://access.redhat.com/errata/RHSA-2019:3758
- https://access.redhat.com/errata/RHSA-2019:4061
- https://security-tracker.debian.org/tracker/CVE-2019-13638
- https://security.netapp.com/advisory/ntap-20190828-0001/
- https://www.debian.org/security/2019/dsa-4489
- https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
- https://github.com/irsl/gnu-patch-vulnerabilities
Affected packages
Git / cgit.git.savannah.gnu.org/cgit/patch.git
Affected ranges
- Type
- GIT
- Repo
- https://cgit.git.savannah.gnu.org/cgit/patch.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed3fcd042d26d70856e826a42b5f93dc4854d80bf0
Affected versions
v2.*
v2.1
v2.2
v2.3
v2.4
v2.5
v2.5.3
v2.5.4
v2.5.7
v2.5.8
v2.5.9
v2.6
v2.6.1
v2.7
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13638.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
}
]