VulnerableCode Package Details - pkg:deb/debian/patch@2.7.5-1%2Bdeb9u2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/patch@2.7.5-1%2Bdeb9u2

Essentials
History (11)

purl	pkg:deb/debian/patch@2.7.5-1%2Bdeb9u2

Next non-vulnerable version	2.7.6-7
Latest non-vulnerable version	2.7.6-7
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-fuan-yz1a-jbej Aliases: CVE-2018-1000156	multiple issues	2.7.6-3+deb10u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-kxps-vxqz-wqfq Aliases: CVE-2019-13636	In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.	2.7.6-3+deb10u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.7.6-7 Affected by 0 other vulnerabilities.
VCID-mfsr-c5z2-hfh4 Aliases: CVE-2019-13638	GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.	2.7.6-3+deb10u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.7.6-7 Affected by 0 other vulnerabilities.
VCID-t9q9-5hw4-73cs Aliases: CVE-2016-10713	An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access within pch_write_line() in pch.c can possibly lead to DoS via a crafted input file.	2.7.6-3+deb10u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ycqe-xdf8-x3du Aliases: CVE-2018-20969	do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.	2.7.6-3+deb10u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.7.6-7 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (3)

Vulnerability	Summary	Aliases
VCID-kxps-vxqz-wqfq	In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.	CVE-2019-13636
VCID-mfsr-c5z2-hfh4	GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.	CVE-2019-13638
VCID-ycqe-xdf8-x3du	do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.	CVE-2018-20969

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T03:07:20.771893+00:00	Debian Oval Importer	Affected by	VCID-ycqe-xdf8-x3du	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T02:04:59.305166+00:00	Debian Oval Importer	Affected by	VCID-mfsr-c5z2-hfh4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-05T23:52:18.290685+00:00	Debian Oval Importer	Affected by	VCID-kxps-vxqz-wqfq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-05T23:43:51.733517+00:00	Debian Oval Importer	Affected by	VCID-t9q9-5hw4-73cs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-05T22:54:05.753524+00:00	Debian Oval Importer	Affected by	VCID-ycqe-xdf8-x3du	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.6.0
2026-06-05T22:52:24.197311+00:00	Debian Oval Importer	Affected by	VCID-kxps-vxqz-wqfq	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.6.0
2026-06-05T22:51:07.360535+00:00	Debian Oval Importer	Affected by	VCID-mfsr-c5z2-hfh4	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	38.6.0
2026-06-05T22:49:16.280988+00:00	Debian Oval Importer	Fixing	VCID-kxps-vxqz-wqfq	https://www.debian.org/security/oval/oval-definitions-stretch.xml.bz2	38.6.0
2026-06-05T22:36:19.279541+00:00	Debian Oval Importer	Fixing	VCID-mfsr-c5z2-hfh4	https://www.debian.org/security/oval/oval-definitions-stretch.xml.bz2	38.6.0
2026-06-05T22:28:28.615065+00:00	Debian Oval Importer	Fixing	VCID-ycqe-xdf8-x3du	https://www.debian.org/security/oval/oval-definitions-stretch.xml.bz2	38.6.0
2026-06-02T00:56:15.696546+00:00	Debian Oval Importer	Affected by	VCID-fuan-yz1a-jbej	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0