SB2019081805 - Gentoo update for Patch
Published: August 18, 2019 Updated: August 25, 2019
Security Bulletin ID
SB2019081805
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Link Resolution Before File Access ('Link Following') (CVE-ID: CVE-2019-13636)
The vulnerability allows a local user to gain unauthorized access to files or directories on a targeted system.
The vulnerability exists due to the software mishandles the following of symlinks in certain cases other than input files in the "inp.c" and "util.c" files. A local authenticated user can gain unauthorized access to read or modify files and directories on a targeted system.
2) OS Command Injection (CVE-ID: CVE-2019-13638)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of ed style diff payload with shell metacharacters in patch files. A remote attacker can trick the victim to use a specially crafted patch file and execute arbitrary OS commands.
Remediation
Install update from vendor's website.