CVE-2019-20633 in Patch
Summary
by MITRE
GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability CVE-2019-20633 represents a critical double free error in GNU patch version 2.7.6 and earlier, specifically within the another_hunk function in the pch.c source file. This issue constitutes a memory corruption vulnerability that arises from improper handling of dynamically allocated memory during patch processing operations. The flaw manifests when the patch utility processes maliciously crafted patch files, leading to the accidental freeing of the same memory block twice, which can result in arbitrary code execution or complete system denial of service. This vulnerability directly impacts the integrity of memory management within the patch utility and represents a significant security risk for any system relying on GNU patch for software updates or source code modifications.
The technical root cause of this vulnerability stems from an incomplete remediation of a previously identified issue CVE-2018-6952, creating a regression that allows the double free condition to persist. The another_hunk function in pch.c demonstrates improper memory management when processing patch hunks, where the p_line[p_end] pointer undergoes a double free operation through the free(p_line[p_end]) call. This memory management error occurs during the parsing and application of patch files, particularly when handling malformed or specially crafted input that triggers the vulnerable code path. The flaw exists in the context of privilege escalation scenarios where an attacker can manipulate patch files to cause the utility to free the same memory location twice, potentially leading to heap corruption that could be exploited for more severe attacks.
From an operational impact perspective, this vulnerability poses significant risks to system availability and integrity across various computing environments that utilize GNU patch for software maintenance and code updates. The denial of service condition can affect any system where patch operations are performed, including development servers, build environments, and production systems that rely on automated patch application processes. Organizations using GNU patch for regular software updates or source code management are particularly vulnerable, as malicious patch files could be introduced through compromised software repositories or supply chain attacks. The vulnerability's exploitation potential extends beyond simple denial of service to include potential code execution scenarios that could compromise system integrity and confidentiality, especially in environments where patch operations are automated or performed with elevated privileges.
Security professionals should consider this vulnerability in the context of the CWE-415 and CWE-416 categories, which specifically address double free conditions and improper memory management. The ATT&CK framework categorizes this issue under T1059.007 for command and scripting interpreter and T1552.001 for data from local system, as exploitation could enable attackers to gain unauthorized access or manipulate system resources. Mitigation strategies should include immediate patching of GNU patch to version 2.7.7 or later, which contains the complete fix for this vulnerability. Organizations should also implement strict input validation for patch files, particularly when these originate from untrusted sources, and consider implementing sandboxed environments for patch application processes to limit potential exploitation impacts. Network segmentation and access controls around patch management systems can further reduce the attack surface and prevent unauthorized patch file injection attacks that could leverage this vulnerability.