FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- shell injection vulnerability in patch(1)

Affected packages
10.1 <= FreeBSD < 10.1_16


VuXML ID 0c6759dd-600a-11e6-a6c3-14dae9d210b8
Discovery 2015-07-28
Entry 2016-08-11

Problem Description:

Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.


This issue could be exploited to execute arbitrary commands as the user invoking patch(1) against a specially crafted patch file, which could be leveraged to obtain elevated privileges.


CVE Name CVE-2015-1416
FreeBSD Advisory SA-15:14.bsdpatch