SB2019080846 - Improper input validation in patch (Alpine package)
Published: August 8, 2019
Security Bulletin ID
SB2019080846
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper input validation (CVE-ID: CVE-2018-1000156)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the EDITOR_PROGRAM invocation due to improper input validation. A remote attacker can send a specially crafted patch file and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=eb88ff152557254bd38fbe358892d73f97a09e6b
- https://git.alpinelinux.org/aports/commit/?id=08cb18d753922eac06c4a8129e25ed4dc7e4c757
- https://git.alpinelinux.org/aports/commit/?id=095fae596fc49100874f93b298316eb4f6d24f0f
- https://git.alpinelinux.org/aports/commit/?id=8f0728f36ce1e97f76e4da6a8f980538652a78a6
- https://git.alpinelinux.org/aports/commit/?id=a7c5a8cafae8eb123b5026d0c83f1af99caac728
- https://git.alpinelinux.org/aports/commit/?id=f1460ec84b8cffa5d8fa79602ad97642452e5e5c