[Buildroot] [PATCH 5/5] package/patch: annotate CVE-2019-13638
Fabrice Fontaine
fontaine.fabrice at gmail.com
Tue Mar 3 19:47:03 UTC 2020
GNU patch through 2.7.6 is vulnerable to OS shell command injection that
can be exploited by opening a crafted patch file that contains an ed
style diff payload with shell metacharacters. The ed editor does not
need to be present on the vulnerable system. This is different from
CVE-2018-1000156.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
---
package/patch/patch.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/patch/patch.mk b/package/patch/patch.mk
index ae9b838a62..b7f5bac05a 100644
--- a/package/patch/patch.mk
+++ b/package/patch/patch.mk
@@ -17,7 +17,7 @@ PATCH_IGNORE_CVES += CVE-2018-6951
PATCH_IGNORE_CVES += CVE-2018-1000156
# 0004-Invoke-ed-directly-instead-of-using-the-shell.patch
-PATCH_IGNORE_CVES += CVE-2018-20969
+PATCH_IGNORE_CVES += CVE-2018-20969 CVE-2019-13638
# 0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
PATCH_IGNORE_CVES += CVE-2019-13636
--
2.25.0
More information about the buildroot
mailing list