CLD-355 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-1000156 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) patch
Deficiency Type SECURITY
Date Created 2018-04-06 08:53:39
Date Last Modified 2018-04-06 10:30:29

Version Specific Information:

Cucumber 1.0 i686fixed in patch-2.7.5-i686-3
Cucumber 1.0 x86_64fixed in patch-2.7.5-x86_64-3

Cucumber 1.1 i686 fixed in patch-2.7.5-i686-3
Cucumber 1.1 x86_64 fixed in patch-2.7.5-x86_64-3


=================================== Overview ===================================

GNU Patch version 2.7.6 contains an input validation vulnerability when
processing patch files, specifically the EDITOR_PROGRAM invocation (using ed)
can result in code execution. This attack appear to be exploitable via a patch
file processed via the patch utility. This is similar to FreeBSD's
CVE-2015-1418 however although they share a common ancestry the code bases have
diverged over time. 

================================ Initial Report ================================


Date: Fri, 6 Apr 2018 08:52:43 +0200
From: Hanno B?ck 
Subject: Privsec vuln in beep / Code execution in GNU patch


There was a joke webpage about a vulnerability in beep a few days ago:
There's also a corresponding Debian Advisory:
Neither have any technical details. CVE is CVE-2018-0492.

If anyone knows the background of this please share it.

However it turned out that on that joke holey beep webpage there's a
patch with a hidden easter egg that's actually a vulnerability in GNU
GNU patch supports a legacy "ed" format for patches and that allows
executing external commands.

It's been reported to GNU patch now here:
CVE is CVE-2018-1000156. (says an anonymous commenter...)

A minimal poc looks like this:
--- a	2018-13-37 13:37:37.000000000 +0100
+++ b	2018-13-37 13:38:38.000000000 +0100

It looks like FreeBSD and OpenBSD have fixed something alike in 2015:

Hanno B?ck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

============================ Additional Information ============================

For further reading see:

Oringinal "exploit" site:

Original "exploit" patch:

================================= Our Analysis =================================

----- Affected Products -----
We have verified in our lab environment that GNU patch 2.7.5 that has not been
specifically patched for this vulnerability is vulnerable. This includes patch
as originally packaged in Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows for arbitrary code execution if the user goes to apply
a malicious patch. It does not require any special flags to be passed; it is the
default behavior.

----- Testing if you are Affected -----
You can test if your version of patch is affected by attempting to apply the
patch from Applying
this patch will require the presence of two files: 'a' and 'b' in the CWD
(without the quotes). If a file is created in your home directory called
'' containing the output of the `id` command, your version of patch is

----- Fix for this Vulnerability -----
There are a couple of patches that people are claiming fix this vulnerability.
They are:

Of these, only ed-fix.patch has been applied to the official patch Git tree (see
Consequentially, we have applied only the patch from that commit. We have
verified in our lab environment that this patch does fix the vulnerability.

================================= Our Solution =================================

We have applied a modified version of the patch from
and rebuilt. Our modified patch can be found at: