CVE-2018-20969

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
gnupatch
𝑥
≤ 2.7.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
patch
sid
2.7.6-7
fixed
trixie
2.7.6-7
fixed
bookworm
2.7.6-7
fixed
bullseye
2.7.6-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
patch
disco
Fixed 2.7.6-3ubuntu0.1
released
bionic
Fixed 2.7.6-2ubuntu1.1
released
xenial
Fixed 2.7.5-1ubuntu0.16.04.2
released
trusty
Fixed 2.7.1-4ubuntu2.4+esm1
released
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
https://access.redhat.com/errata/RHSA-2019:2798
https://access.redhat.com/errata/RHSA-2019:2964
https://access.redhat.com/errata/RHSA-2019:3757
https://access.redhat.com/errata/RHSA-2019:3758
https://access.redhat.com/errata/RHSA-2019:4061
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
https://github.com/irsl/gnu-patch-vulnerabilities
https://seclists.org/bugtraq/2019/Aug/29
http://packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
https://access.redhat.com/errata/RHSA-2019:2798
https://access.redhat.com/errata/RHSA-2019:2964
https://access.redhat.com/errata/RHSA-2019:3757
https://access.redhat.com/errata/RHSA-2019:3758
https://access.redhat.com/errata/RHSA-2019:4061
https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
https://github.com/irsl/gnu-patch-vulnerabilities
https://seclists.org/bugtraq/2019/Aug/29