CVE-2015-1416

NameCVE-2015-1416
DescriptionLarry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 before 10.2-BETA2-p2, and 10.1 before 10.1-RELEASE-p16; Bitrig; GNU patch before 2.2.5; and possibly other patch variants allow remote attackers to execute arbitrary shell commands via a crafted patch file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
patch (PTS)jessie, jessie (lts)2.7.5-1+deb8u3fixed
stretch (security), stretch (lts), stretch2.7.5-1+deb9u2fixed
buster (security), buster, buster (lts)2.7.6-3+deb10u1fixed
sid, trixie, bullseye, bookworm2.7.6-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
patchsource(unstable)2.5-1

Notes

https://www.openwall.com/lists/oss-security/2015/08/02/6
CVE assignment applies as well to GNU patch before 2.3 and 2.2.5
Search for package or bug name: Reporting problems