GNU patch another_hunk Function Double-Free Vulnerability [CVE-2018-6952]

CVE Number – CVE-2018-6952

A vulnerability in the another_hunk function of GNU patch could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability is due to the improper freeing of memory locations by the another_hunk function, as defined in the pch.c source code file of the affected software. An attacker could exploit this vulnerability by supplying a crafted patch file to the targeted system. A successful exploit could allow the attacker to cause a double-free condition, resulting in memory corruption that could lead to a DoS condition.The vendor has confirmed this vulnerability; however, updates and patches are not available.

Analysis

  • To exploit this vulnerability, an attacker would need network access and the ability to supply the targeted system with a crafted patch file. These requirements could reduce the likelihood of a successful exploit.

Safeguards

  • Administrators are advised to contact the vendor for future updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.

Vendor Announcements

  • The vendor has released a security issue at the following link: Bug #53133

Fixed Software

  • At the time this alert was first published, the vendor had not released software updates.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: