SB2019072492 - Fedora 30 update for patch
Published: July 24, 2019 Updated: April 25, 2025
Security Bulletin ID
SB2019072492
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Link Resolution Before File Access ('Link Following') (CVE-ID: CVE-2019-13636)
The vulnerability allows a local user to gain unauthorized access to files or directories on a targeted system.
The vulnerability exists due to the software mishandles the following of symlinks in certain cases other than input files in the "inp.c" and "util.c" files. A local authenticated user can gain unauthorized access to read or modify files and directories on a targeted system.
2) OS Command Injection (CVE-ID: CVE-2019-13638)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of ed style diff payload with shell metacharacters in patch files. A remote attacker can trick the victim to use a specially crafted patch file and execute arbitrary OS commands.
Remediation
Install update from vendor's website.