GNU patch another_hunk Function Double-Free Vulnerability [CVE-2018-6952]
CVE Number – CVE-2018-6952
A vulnerability in the another_hunk function of GNU patch could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability is due to the improper freeing of memory locations by the another_hunk function, as defined in the pch.c source code file of the affected software. An attacker could exploit this vulnerability by supplying a crafted patch file to the targeted system. A successful exploit could allow the attacker to cause a double-free condition, resulting in memory corruption that could lead to a DoS condition.The vendor has confirmed this vulnerability; however, updates and patches are not available.
Analysis
- To exploit this vulnerability, an attacker would need network access and the ability to supply the targeted system with a crafted patch file. These requirements could reduce the likelihood of a successful exploit.
Safeguards
- Administrators are advised to contact the vendor for future updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.
Vendor Announcements
- The vendor has released a security issue at the following link: Bug #53133
Fixed Software
- At the time this alert was first published, the vendor had not released software updates.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.