2024

2023

2022

2021

2020

2019

CVE-2019-13638 (v3: 7.8) 26 Jul 2019
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

2018

CVE-2018-20969 (v3: 7.8) 16 Aug 2019
do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.

2017

2016

CVE-2016-0634 (v3: 7.5) 28 Aug 2017
The expansion of '\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine.

2015