{"id":"MGASA-2020-0093","summary":"Updated patch packages fix security vulnerabilities","details":"Updated patch package fixes security vulnerabilities:\n\n* In GNU patch through 2.7.6, the following of symlinks is mishandled\n  in certain cases other than input files. (CVE-2019-13636).\n\n* A vulnerability was found in GNU patch through 2.7.6 is vulnerable to\n  OS shell command injection that can be exploited by opening a crafted\n  patch file that contains an ed style diff payload with shell\n  metacharacters (CVE-2019-13638).\n\n* A vulnerability was found in do_ed_script in pch.c in GNU patch through\n  2.7.6 does not block strings beginning with a ! character. NOTE: this\n is the same commit as for CVE-2019-13638, but the ! syntax is specific to\n  ed, and is unrelated to a shell metacharacter (CVE-2018-20969).\n","modified":"2026-04-16T01:45:14.152746558Z","published":"2020-02-21T23:06:01Z","upstream":["CVE-2018-20969","CVE-2019-13636","CVE-2019-13638"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0093.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=25279"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:2798"}],"affected":[{"package":{"name":"patch","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/patch?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.6-4.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0093.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}