SB2019080847 - OS Command Injection in patch (Alpine package)
Published: August 8, 2019
Security Bulletin ID
SB2019080847
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) OS Command Injection (CVE-ID: CVE-2019-13638)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of ed style diff payload with shell metacharacters in patch files. A remote attacker can trick the victim to use a specially crafted patch file and execute arbitrary OS commands.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=eb88ff152557254bd38fbe358892d73f97a09e6b
- https://git.alpinelinux.org/aports/commit/?id=08cb18d753922eac06c4a8129e25ed4dc7e4c757
- https://git.alpinelinux.org/aports/commit/?id=095fae596fc49100874f93b298316eb4f6d24f0f
- https://git.alpinelinux.org/aports/commit/?id=8f0728f36ce1e97f76e4da6a8f980538652a78a6
- https://git.alpinelinux.org/aports/commit/?id=a7c5a8cafae8eb123b5026d0c83f1af99caac728
- https://git.alpinelinux.org/aports/commit/?id=f1460ec84b8cffa5d8fa79602ad97642452e5e5c