CVE-2018-20969

Published: 16 August 2019

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.

Priority

CVSS 3 base score: 7.8

Status

Package	Release	Status
patch Launchpad, Ubuntu, Debian	Upstream	Released (2.7.6-5)




	Ubuntu 18.04 LTS (Bionic Beaver)	Released (2.7.6-2ubuntu1.1)
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (2.7.5-1ubuntu0.16.04.2)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (2.7.1-4ubuntu2.4+esm1)
	Patches: Upstream: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20969
https://ubuntu.com/security/notices/USN-4071-1
https://ubuntu.com/security/notices/USN-4071-2
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/patch/+bug/1837001

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›