fixed #1733917, CVE-2019-13638 patch: OS shell command injection when processing crafted patch files

patch-2.7.6-CVE-2018-6952-fix-swapping-fake-lines-in-pch_swap.patch

@@ -0,0 +1,25 @@
+commit 9c986353e420ead6e706262bf204d6e03322c300
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Fri Aug 17 13:35:40 2018 +0200
+
+    Fix swapping fake lines in pch_swap
+    
+    * src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
+    blank line in the middle of a context-diff hunk: that empty line stays
+    in the middle of the hunk and isn't swapped.
+    
+    Fixes: https://savannah.gnu.org/bugs/index.php?53133
+
+diff --git a/src/pch.c b/src/pch.c
+index e92bc64..a500ad9 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2122,7 +2122,7 @@ pch_swap (void)
+     }
+     if (p_efake >= 0) {			/* fix non-freeable ptr range */
+ 	if (p_efake <= i)
+-	    n = p_end - i + 1;
++	    n = p_end - p_ptrn_lines;
+ 	else
+ 	    n = -i;
+ 	p_efake += n;

patch-2.7.6-CVE-2018-6952.patch

@@ -1,13 +0,0 @@
-diff --git a/src/pch.c b/src/pch.c
-index e92bc64..a500ad9 100644
---- a/src/pch.c
-+++ b/src/pch.c
-@@ -2122,7 +2122,7 @@ pch_swap (void)
-     }
-     if (p_efake >= 0) {			/* fix non-freeable ptr range */
- 	if (p_efake <= i)
--	    n = p_end - i + 1;
-+	    n = p_end - p_ptrn_lines;
- 	else
- 	    n = -i;
- 	p_efake += n;

patch-2.7.6-CVE-2019-13638-invoked-ed-directly-instead-of-using-the-shell.patch

@@ -0,0 +1,33 @@
+commit 3fcd042d26d70856e826a42b5f93dc4854d80bf0
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Fri Apr 6 19:36:15 2018 +0200
+
+    Invoke ed directly instead of using the shell
+    
+    * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+    command to avoid quoting vulnerabilities.
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ 	    *outname_needs_removal = true;
+ 	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ 	  }
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+ 	fflush (stdout);
+ 
+ 	pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ 	else if (pid == 0)
+ 	  {
+ 	    dup2 (tmpfd, 0);
+-	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    assert (outname[0] != '!' && outname[0] != '-');
++	    execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
+ 	    _exit (2);
+ 	  }
+ 	else

patch-2.7.6-allow-input-files-to-be-missing-for-ed-style-patches.patch

@@ -0,0 +1,28 @@
+commit b5a91a01e5d0897facdd0f49d64b76b0f02b43e1
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Fri Apr 6 11:34:51 2018 +0200
+
+    Allow input files to be missing for ed-style patches
+    
+    * src/pch.c (do_ed_script): Allow input files to be missing so that new
+    files will be created as with non-ed-style patches.
+
+diff --git a/src/pch.c b/src/pch.c
+index bc6278c..0c5cc26 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2394,9 +2394,11 @@ do_ed_script (char const *inname, char const *outname,
+ 
+     if (! dry_run && ! skip_rest_of_patch) {
+ 	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+-	assert (! inerrno);
+-	*outname_needs_removal = true;
+-	copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++	if (inerrno != ENOENT)
++	  {
++	    *outname_needs_removal = true;
++	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++	  }
+ 	sprintf (buf, "%s %s%s", editor_program,
+ 		 verbosity == VERBOSE ? "" : "- ",
+ 		 outname);

patch-2.7.6-avoid-invalid-memory-access-in-context-format-diffs.patch

@@ -0,0 +1,21 @@
+commit 15b158db3ae11cb835f2eb8d2eb48e09d1a4af48
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Mon Jul 15 19:10:02 2019 +0200
+
+    Avoid invalid memory access in context format diffs
+    
+    * src/pch.c (another_hunk): Avoid invalid memory access in context format
+    diffs.
+
+diff --git a/src/pch.c b/src/pch.c
+index a500ad9..cb54e03 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1328,6 +1328,7 @@ another_hunk (enum diff difftype, bool rev)
+ 		  ptrn_prefix_context = context;
+ 		ptrn_suffix_context = context;
+ 		if (repl_beginning
++		    || p_end <= 0
+ 		    || (p_end
+ 			!= p_ptrn_lines + 1 + (p_Char[p_end - 1] == '\n')))
+ 		  {

patch-2.7.6-avoid-set_file_attributes-sign-conversion-warnings.patch

@@ -0,0 +1,24 @@
+commit 3bbebbb29f6fbbf2988b9f2e75695b7c0b1f1c9b
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Wed Feb 7 12:01:22 2018 +0100
+
+    Avoid set_file_attributes sign conversion warnings
+    
+    * src/util.c (set_file_attributes): Avoid sign conversion warnings when
+    assigning -1 to uid_t / gid_t.
+
+diff --git a/src/util.c b/src/util.c
+index b1c7266..1cc08ba 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -256,8 +256,8 @@ set_file_attributes (char const *to, enum file_attributes attr,
+     }
+   if (attr & FA_IDS)
+     {
+-      static uid_t euid = -1;
+-      static gid_t egid = -1;
++      static uid_t euid = (uid_t)-1;
++      static gid_t egid = (gid_t)-1;
+       uid_t uid;
+       uid_t gid;
+ 

patch-2.7.6-avoid-warnings-gcc8.patch

@@ -0,0 +1,85 @@
+commit ae81be0024ea4eaf139b7ba57e9a8ce9e4a163ec
+Author: Jim Meyering <jim@meyering.net>
+Date:   Fri Apr 6 17:17:11 2018 -0700
+
+    maint: avoid warnings from GCC8
+    
+    Hi Andreas,
+    
+    I configured with --enable-gcc-warnings and bleeding-edge gcc
+    (version 8.0.1 20180406) and hit some warning-escalated-to-errors.
+    This fixes them:
+    
+    >From a71ddb200dbe7ac0f9258796b5a51979b2740e88 Mon Sep 17 00:00:00 2001
+    From: Jim Meyering <meyering@fb.com>
+    Date: Fri, 6 Apr 2018 16:47:00 -0700
+    Subject: [PATCH] maint: avoid warnings from GCC8
+    
+    * src/common.h (FALLTHROUGH): Define.
+    * src/patch.c (abort_hunk_context): Use FALLTHROUGH macro in place of
+    a comment.  This avoids a warning from -Wimplicit-fallthrough=.
+    * src/pch.c (do_ed_script): Add otherwise unnecessary initialization
+    to avoid warning from -Wmaybe-uninitialized.
+    (another_hunk): Use FALLTHROUGH macro here, too, twice.
+
+diff --git a/src/common.h b/src/common.h
+index ec50b40..904a3f8 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -218,3 +218,11 @@ bool merge_hunk (int hunk, struct outstate *, lin where, bool *);
+ #else
+ # define merge_hunk(hunk, outstate, where, somefailed) false
+ #endif
++
++#ifndef FALLTHROUGH
++# if __GNUC__ < 7
++#  define FALLTHROUGH ((void) 0)
++# else
++#  define FALLTHROUGH __attribute__ ((__fallthrough__))
++# endif
++#endif
+diff --git a/src/patch.c b/src/patch.c
+index 0fe6d72..1ae91d9 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -1381,7 +1381,7 @@ abort_hunk_context (bool header, bool reverse)
+ 	    break;
+ 	case ' ': case '-': case '+': case '!':
+ 	    fprintf (rejfp, "%c ", pch_char (i));
+-	    /* fall into */
++	    FALLTHROUGH;
+ 	case '\n':
+ 	    pch_write_line (i, rejfp);
+ 	    break;
+diff --git a/src/pch.c b/src/pch.c
+index 1055542..cda3dfa 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1735,7 +1735,7 @@ another_hunk (enum diff difftype, bool rev)
+ 		break;
+ 	    case '=':
+ 		ch = ' ';
+-		/* FALL THROUGH */
++		FALLTHROUGH;
+ 	    case ' ':
+ 		if (fillsrc > p_ptrn_lines) {
+ 		    free(s);
+@@ -1756,7 +1756,7 @@ another_hunk (enum diff difftype, bool rev)
+ 		    p_end = fillsrc-1;
+ 		    return -1;
+ 		}
+-		/* FALL THROUGH */
++		FALLTHROUGH;
+ 	    case '+':
+ 		if (filldst > p_end) {
+ 		    free(s);
+@@ -2394,8 +2394,7 @@ do_ed_script (char const *inname, char const *outname,
+     size_t chars_read;
+     FILE *tmpfp = 0;
+     char const *tmpname;
+-    int tmpfd;
+-    pid_t pid;
++    int tmpfd = -1; /* placate gcc's -Wmaybe-uninitialized */
+     int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+     char const **ed_argv;
+     int stdin_dup, status;

patch-2.7.6-check-of-return-value-of-fwrite.patch

@@ -0,0 +1,75 @@
+commit 1e9104c18019e7dc6b5590aea4b1d4f9d8ecfd56
+Author: Bruno Haible <bruno@clisp.org>
+Date:   Sat Apr 7 12:21:04 2018 +0200
+
+    Fix check of return value of fwrite().
+    
+    * src/patch.c (copy_till): Consider incomplete fwrite() write as an error.
+    * src/pch.c (pch_write_line, do_ed_script): Likewise.
+
+diff --git a/src/patch.c b/src/patch.c
+index 1ae91d9..3fcaec5 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -2,7 +2,7 @@
+ 
+ /* Copyright (C) 1984, 1985, 1986, 1987, 1988 Larry Wall
+ 
+-   Copyright (C) 1989-1993, 1997-1999, 2002-2003, 2006, 2009-2012 Free Software
++   Copyright (C) 1989-1993, 1997-1999, 2002-2003, 2006, 2009-2018 Free Software
+    Foundation, Inc.
+ 
+    This program is free software: you can redistribute it and/or modify
+@@ -1641,7 +1641,7 @@ copy_till (struct outstate *outstate, lin lastline)
+ 	if (size)
+ 	  {
+ 	    if ((! outstate->after_newline  &&  putc ('\n', fp) == EOF)
+-		|| ! fwrite (s, sizeof *s, size, fp))
++		|| fwrite (s, sizeof *s, size, fp) < size)
+ 	      write_fatal ();
+ 	    outstate->after_newline = s[size - 1] == '\n';
+ 	    outstate->zero_output = false;
+diff --git a/src/pch.c b/src/pch.c
+index cda3dfa..79a3c99 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2279,8 +2279,11 @@ pfetch (lin line)
+ bool
+ pch_write_line (lin line, FILE *file)
+ {
+-  bool after_newline = (p_len[line] > 0) && (p_line[line][p_len[line] - 1] == '\n');
+-  if (! fwrite (p_line[line], sizeof (*p_line[line]), p_len[line], file))
++  bool after_newline =
++    (p_len[line] > 0) && (p_line[line][p_len[line] - 1] == '\n');
++
++  if (fwrite (p_line[line], sizeof (*p_line[line]), p_len[line], file)
++      < p_len[line])
+     write_fatal ();
+   return after_newline;
+ }
+@@ -2427,13 +2430,14 @@ do_ed_script (char const *inname, char const *outname,
+ 	ed_command_letter = get_ed_command_letter (buf);
+ 	if (ed_command_letter) {
+ 	    if (tmpfp)
+-		if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
++		if (fwrite (buf, sizeof *buf, chars_read, tmpfp) < chars_read)
+ 		    write_fatal ();
+ 	    if (ed_command_letter != 'd' && ed_command_letter != 's') {
+ 	        p_pass_comments_through = true;
+ 		while ((chars_read = get_line ()) != 0) {
+ 		    if (tmpfp)
+-			if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
++			if (fwrite (buf, sizeof *buf, chars_read, tmpfp)
++			    < chars_read)
+ 			    write_fatal ();
+ 		    if (chars_read == 2  &&  strEQ (buf, ".\n"))
+ 			break;
+@@ -2448,7 +2452,7 @@ do_ed_script (char const *inname, char const *outname,
+     }
+     if (dry_run || skip_rest_of_patch)
+       return;
+-    if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
++    if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) < (size_t) 4
+ 	|| fflush (tmpfp) != 0)
+       write_fatal ();
+ 

patch-2.7.6-cleanups-in-do_ed_script.patch

@@ -0,0 +1,91 @@
+commit 2a32bf09f5e9572da4be183bb0dbde8164351474
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Fri Apr 6 20:32:46 2018 +0200
+
+    Minor cleanups in do_ed_script
+    
+    * src/pch.c (do_ed_script): Minor cleanups.
+
+diff --git a/src/pch.c b/src/pch.c
+index 1f14624..1055542 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2396,6 +2396,10 @@ do_ed_script (char const *inname, char const *outname,
+     char const *tmpname;
+     int tmpfd;
+     pid_t pid;
++    int exclusive = *outname_needs_removal ? 0 : O_EXCL;
++    char const **ed_argv;
++    int stdin_dup, status;
++
+ 
+     if (! dry_run && ! skip_rest_of_patch)
+       {
+@@ -2443,7 +2447,7 @@ do_ed_script (char const *inname, char const *outname,
+ 	    break;
+ 	}
+     }
+-    if (!tmpfp)
++    if (dry_run || skip_rest_of_patch)
+       return;
+     if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
+ 	|| fflush (tmpfp) != 0)
+@@ -2452,36 +2456,29 @@ do_ed_script (char const *inname, char const *outname,
+     if (lseek (tmpfd, 0, SEEK_SET) == -1)
+       pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
+ 
+-    if (! dry_run && ! skip_rest_of_patch) {
+-	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+-	char const **ed_argv;
+-	int stdin_dup, status;
+-
++    if (inerrno != ENOENT)
++      {
+ 	*outname_needs_removal = true;
+-	if (inerrno != ENOENT)
+-	  {
+-	    *outname_needs_removal = true;
+-	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+-	  }
+-	fflush (stdout);
+-
+-	if ((stdin_dup = dup (0)) == -1
+-	    || dup2 (tmpfd, 0) == -1)
+-	  pfatal ("Failed to duplicate standard input");
+-	assert (outname[0] != '!' && outname[0] != '-');
+-	ed_argv = alloca (4 * sizeof * ed_argv);
+-	ed_argv[0] = editor_program;
+-	ed_argv[1] = "-";
+-	ed_argv[2] = outname;
+-	ed_argv[3] = (char  *) NULL;
+-	status = execute (editor_program, editor_program, (char **)ed_argv,
+-			  false, false, false, false, true, false, NULL);
+-	if (status)
+-	  fatal ("%s FAILED", editor_program);
+-	if (dup2 (stdin_dup, 0) == -1
+-	    || close (stdin_dup) == -1)
+-	  pfatal ("Failed to duplicate standard input");
+-    }
++	copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++      }
++    fflush (stdout);
++
++    if ((stdin_dup = dup (0)) == -1
++	|| dup2 (tmpfd, 0) == -1)
++      pfatal ("Failed to duplicate standard input");
++    assert (outname[0] != '!' && outname[0] != '-');
++    ed_argv = alloca (4 * sizeof * ed_argv);
++    ed_argv[0] = editor_program;
++    ed_argv[1] = "-";
++    ed_argv[2] = outname;
++    ed_argv[3] = (char  *) NULL;
++    status = execute (editor_program, editor_program, (char **)ed_argv,
++		      false, false, false, false, true, false, NULL);
++    if (status)
++      fatal ("%s FAILED", editor_program);
++    if (dup2 (stdin_dup, 0) == -1
++	|| close (stdin_dup) == -1)
++      pfatal ("Failed to duplicate standard input");
+ 
+     fclose (tmpfp);
+     safe_unlink (tmpname);

patch-2.7.6-dont-leak-temporary-file-on-failed-ed-style-patch.patch

@@ -0,0 +1,95 @@
+commit 19599883ffb6a450d2884f081f8ecf68edbed7ee
+Author: Jean Delvare <jdelvare@suse.de>
+Date:   Thu May 3 14:31:55 2018 +0200
+
+    Don't leak temporary file on failed ed-style patch
+    
+    Now that we write ed-style patches to a temporary file before we
+    apply them, we need to ensure that the temporary file is removed
+    before we leave, even on fatal error.
+    
+    * src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
+      tmpname. Don't unlink the file directly, instead tag it for removal
+      at exit time.
+    * src/patch.c (cleanup): Unlink TMPEDNAME at exit.
+    
+    This closes bug #53820:
+    https://savannah.gnu.org/bugs/index.php?53820
+    
+    Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+
+diff --git a/src/common.h b/src/common.h
+index 904a3f8..53c5e32 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -94,10 +94,12 @@ XTERN char const *origsuff;
+ XTERN char const * TMPINNAME;
+ XTERN char const * TMPOUTNAME;
+ XTERN char const * TMPPATNAME;
++XTERN char const * TMPEDNAME;
+ 
+ XTERN bool TMPINNAME_needs_removal;
+ XTERN bool TMPOUTNAME_needs_removal;
+ XTERN bool TMPPATNAME_needs_removal;
++XTERN bool TMPEDNAME_needs_removal;
+ 
+ #ifdef DEBUGGING
+ XTERN int debug;
+diff --git a/src/patch.c b/src/patch.c
+index 3fcaec5..9146597 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -1999,6 +1999,7 @@ cleanup (void)
+   remove_if_needed (TMPINNAME, &TMPINNAME_needs_removal);
+   remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
+   remove_if_needed (TMPPATNAME, &TMPPATNAME_needs_removal);
++  remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
+   remove_if_needed (TMPREJNAME, &TMPREJNAME_needs_removal);
+   output_files (NULL);
+ }
+diff --git a/src/pch.c b/src/pch.c
+index 79a3c99..1bb3153 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2396,7 +2396,6 @@ do_ed_script (char const *inname, char const *outname,
+     file_offset beginning_of_this_line;
+     size_t chars_read;
+     FILE *tmpfp = 0;
+-    char const *tmpname;
+     int tmpfd = -1; /* placate gcc's -Wmaybe-uninitialized */
+     int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+     char const **ed_argv;
+@@ -2411,12 +2410,13 @@ do_ed_script (char const *inname, char const *outname,
+ 	   invalid commands and treats the next line as a new command, which
+ 	   can lead to arbitrary command execution.  */
+ 
+-	tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++	tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0);
+ 	if (tmpfd == -1)
+-	  pfatal ("Can't create temporary file %s", quotearg (tmpname));
++	  pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
++	TMPEDNAME_needs_removal = true;
+ 	tmpfp = fdopen (tmpfd, "w+b");
+ 	if (! tmpfp)
+-	  pfatal ("Can't open stream for file %s", quotearg (tmpname));
++	  pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
+       }
+ 
+     for (;;) {
+@@ -2457,7 +2457,7 @@ do_ed_script (char const *inname, char const *outname,
+       write_fatal ();
+ 
+     if (lseek (tmpfd, 0, SEEK_SET) == -1)
+-      pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
++      pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME));
+ 
+     if (inerrno != ENOENT)
+       {
+@@ -2484,7 +2484,6 @@ do_ed_script (char const *inname, char const *outname,
+       pfatal ("Failed to duplicate standard input");
+ 
+     fclose (tmpfp);
+-    safe_unlink (tmpname);
+ 
+     if (ofp)
+       {

patch-2.7.6-dont-leak-temporary-file-on-failed-multi-file-ed-style-patch.patch

@@ -0,0 +1,71 @@
+commit 369dcccdfa6336e5a873d6d63705cfbe04c55727
+Author: Jean Delvare <jdelvare@suse.de>
+Date:   Mon May 7 15:14:45 2018 +0200
+
+    Don't leak temporary file on failed multi-file ed-style patch
+    
+    The previous fix worked fine with single-file ed-style patches, but
+    would still leak temporary files in the case of multi-file ed-style
+    patch. Fix that case as well, and extend the test case to check for
+    it.
+    
+    * src/patch.c (main): Unlink TMPEDNAME if needed before moving to
+      the next file in a patch.
+    
+    This closes bug #53820:
+    https://savannah.gnu.org/bugs/index.php?53820
+    
+    Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+    Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
+
+diff --git a/src/patch.c b/src/patch.c
+index 9146597..81c7a02 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -236,6 +236,7 @@ main (int argc, char **argv)
+ 	    }
+ 	  remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
+ 	}
++      remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
+ 
+       if (! skip_rest_of_patch && ! file_type)
+ 	{
+diff --git a/tests/ed-style b/tests/ed-style
+index 6b6ef9d..504e6e5 100644
+--- a/tests/ed-style
++++ b/tests/ed-style
+@@ -38,3 +38,34 @@ EOF
+ check 'cat foo' <<EOF
+ foo
+ EOF
++
++# Test the case where one ed-style patch modifies several files
++
++cat > ed3.diff <<EOF
++--- foo
+++++ foo
++1c
++bar
++.
++--- baz
+++++ baz
++0a
++baz
++.
++EOF
++
++# Apparently we can't create a file with such a patch, while it works fine
++# when the file name is provided on the command line
++cat > baz <<EOF
++EOF
++
++check 'patch -e -i ed3.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++bar
++EOF
++
++check 'cat baz' <<EOF
++baz
++EOF

patch-2.7.6-fix-ed-style-test-failure.patch

@@ -0,0 +1,22 @@
+commit 458ac51a05426c1af9aa6bf1342ecf60728c19b4
+Author: Bruno Haible <bruno@clisp.org>
+Date:   Sat Apr 7 12:34:03 2018 +0200
+
+    Fix 'ed-style' test failure.
+    
+    * tests/ed-style: Remove '?' line from expected output.
+
+diff --git a/tests/ed-style b/tests/ed-style
+index d8c0689..6b6ef9d 100644
+--- a/tests/ed-style
++++ b/tests/ed-style
+@@ -31,8 +31,7 @@ r !echo bar
+ ,p
+ EOF
+ 
+-check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF
+-?
++check 'patch -e foo -i ed2.diff > /dev/null 2> /dev/null || echo "Status: $?"' <<EOF
+ Status: 2
+ EOF
+ 

patch-2.7.6-fix-korn-shell-incompatibility.patch

@@ -0,0 +1,21 @@
+commit 074e2395f81d0ecaa66b71a6c228c70b49db72e5
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Wed Feb 7 17:05:00 2018 +0100
+
+    Test suite: fix Korn shell incompatibility
+    
+    tests/merge: In a Korn shell, shift apparently fails when $# is 0.
+
+diff --git a/tests/merge b/tests/merge
+index b628891..e950b92 100644
+--- a/tests/merge
++++ b/tests/merge
+@@ -32,7 +32,7 @@ x2() {
+ 	shift
+     done > b.sed
+     echo "$body" | sed -f b.sed > b
+-    shift
++    test $# -eq 0 || shift
+     while test $# -gt 0 ; do
+ 	echo "$1"
+ 	shift

patch-2.7.6-fix-segfault-with-mangled-rename-patch.patch

@@ -0,0 +1,24 @@
+commit f290f48a621867084884bfff87f8093c15195e6a
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Mon Feb 12 16:48:24 2018 +0100
+
+    Fix segfault with mangled rename patch
+    
+    http://savannah.gnu.org/bugs/?53132
+    * src/pch.c (intuit_diff_type): Ensure that two filenames are specified
+    for renames and copies (fix the existing check).
+
+diff --git a/src/pch.c b/src/pch.c
+index ff9ed2c..bc6278c 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -974,7 +974,8 @@ intuit_diff_type (bool need_header, mode_t *p_file_type)
+     if ((pch_rename () || pch_copy ())
+ 	&& ! inname
+ 	&& ! ((i == OLD || i == NEW) &&
+-	      p_name[! reverse] &&
++	      p_name[reverse] && p_name[! reverse] &&
++	      name_is_valid (p_name[reverse]) &&
+ 	      name_is_valid (p_name[! reverse])))
+       {
+ 	say ("Cannot %s file without two valid file names\n", pch_rename () ? "rename" : "copy");

patch-2.7.6-make-debug-output-more-useful.patch

@@ -0,0 +1,40 @@
+commit ff81775f4eb6ab9a91b75e4031e8216654c0c76a
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Fri Aug 17 10:31:22 2018 +0200
+
+    Make the (debug & 2) output more useful
+    
+    * src/pch.c (another_hunk): In the (debug & 2) output, fix how empty
+    lines that are not part of the patch context are printed.  Also, add
+    newlines to lines that are missing them to keep the output readable.
+
+diff --git a/src/pch.c b/src/pch.c
+index 1bb3153..e92bc64 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1916,8 +1916,13 @@ another_hunk (enum diff difftype, bool rev)
+ 	lin i;
+ 
+ 	for (i = 0; i <= p_end + 1; i++) {
+-	    fprintf (stderr, "%s %c",
+-		     format_linenum (numbuf0, i),
++	    fputs (format_linenum (numbuf0, i), stderr);
++	    if (p_Char[i] == '\n')
++	      {
++	        fputc('\n', stderr);
++		continue;
++	      }
++	    fprintf (stderr, " %c",
+ 		     p_Char[i]);
+ 	    if (p_Char[i] == '*')
+ 	      fprintf (stderr, " %s,%s\n",
+@@ -1930,7 +1935,8 @@ another_hunk (enum diff difftype, bool rev)
+ 	    else if (p_Char[i] != '^')
+ 	      {
+ 		fputs(" |", stderr);
+-		pch_write_line (i, stderr);
++		if (! pch_write_line (i, stderr))
++		  fputc('\n', stderr);
+ 	      }
+ 	    else
+ 	      fputc('\n', stderr);

patch-2.7.6-skip-ed-test-when-the-ed-utility-is-not-installed.patch

@@ -0,0 +1,20 @@
+commit a5b442ce01b80a758606ede316f739426a12bc33
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Thu Jun 27 11:09:31 2019 +0200
+
+    Skip "ed" test when the ed utility is not installed
+    
+    * tests/ed-style: Require ed.
+
+diff --git a/tests/ed-style b/tests/ed-style
+index 504e6e5..9907cb6 100644
+--- a/tests/ed-style
++++ b/tests/ed-style
+@@ -7,6 +7,7 @@
+ . $srcdir/test-lib.sh
+ 
+ require cat
++require ed
+ use_local_patch
+ use_tmpdir
+ 

patch-2.7.6-test-suite-compatibility-fixes.patch

@@ -0,0 +1,124 @@
+commit f6bc5b14bd193859851d15a049bafb1007acd288
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Wed Feb 7 12:10:41 2018 +0100
+
+    Test suite compatibility fixes
+    
+    * tests/crlf-handling, tests/git-cleanup, tests/test-lib.sh: Use printf
+    instead of echo -e / echo -n for compatibility with systems that don't
+    support these echo options.
+    * tests/merge: Minor other cleanups.
+
+diff --git a/tests/crlf-handling b/tests/crlf-handling
+index 239149c..c192cac 100644
+--- a/tests/crlf-handling
++++ b/tests/crlf-handling
+@@ -14,7 +14,7 @@ use_local_patch
+ use_tmpdir
+ 
+ lf2crlf() {
+-    while read l; do echo -e "$l\r"; done
++    while read l; do printf "%s\r\n" "$l"; done
+ }
+ 
+ echo 1 > a
+diff --git a/tests/git-cleanup b/tests/git-cleanup
+index 2e3e4c6..ca527a1 100644
+--- a/tests/git-cleanup
++++ b/tests/git-cleanup
+@@ -36,8 +36,8 @@ BAD PATCH
+ EOF
+ 
+ echo 1 > f
+-echo -n '' > g
+-echo -n '' > h
++printf '' > g
++printf '' > h
+ 
+ check 'patch -f -i 1.diff || echo status: $?' <<EOF
+ patching file f
+diff --git a/tests/merge b/tests/merge
+index 22d787b..b628891 100644
+--- a/tests/merge
++++ b/tests/merge
+@@ -30,30 +30,28 @@ x2() {
+     while test $# -gt 0 && test "$1" != -- ; do
+ 	echo "$1"
+ 	shift
+-    done > a.sed
+-    echo "$body" | sed -f a.sed > b
++    done > b.sed
++    echo "$body" | sed -f b.sed > b
+     shift
+     while test $# -gt 0 ; do
+ 	echo "$1"
+ 	shift
+-    done > b.sed
+-    echo "$body" | sed -f b.sed > c
+-    rm -f a.sed b.sed
++    done > c.sed
++    echo "$body" | sed -f c.sed > c
++    rm -f b.sed c.sed
+     output=`diff -u a b | patch $ARGS -f c`
+     status=$?
+     echo "$output" | sed -e '/^$/d' -e '/^patching file c$/d'
+     cat c
+-    test $status == 0 || echo "Status: $status"
++    test $status = 0 || echo "Status: $status"
+ }
+ 
+ x() {
+-    ARGS="$ARGS --merge" x2 "$@"
++    ARGS="--merge" x2 "$@"
+     echo
+-    ARGS="$ARGS --merge=diff3" x2 "$@"
++    ARGS="--merge=diff3" x2 "$@"
+ }
+ 
+-unset ARGS
+-
+ # ==============================================================
+ 
+ check 'x 3' <<EOF
+diff --git a/tests/test-lib.sh b/tests/test-lib.sh
+index be0d7e3..661da52 100644
+--- a/tests/test-lib.sh
++++ b/tests/test-lib.sh
+@@ -41,7 +41,7 @@ use_local_patch() {
+ 
+     eval 'patch() {
+ 	if test -n "$GDB" ; then
+-	  echo -e "\n" >&3
++	  printf "\n\n" >&3
+ 	  gdbserver localhost:53153 $PATCH "$@" 2>&3
+ 	else
+           $PATCH "$@"
+@@ -113,22 +113,15 @@ cleanup() {
+     exit $status
+ }
+ 
+-if test -z "`echo -n`"; then
+-    if eval 'test -n "${BASH_LINENO[0]}" 2>/dev/null'; then
+-	eval '
+-	    _start_test() {
+-		echo -n "[${BASH_LINENO[2]}] $* -- "
+-	    }'
+-    else
+-	eval '
+-	    _start_test() {
+-		echo -n "* $* -- "
+-	    }'
+-    fi
++if eval 'test -n "${BASH_LINENO[0]}" 2>/dev/null'; then
++    eval '
++	_start_test() {
++	    printf "[${BASH_LINENO[2]}] %s -- " "$*"
++	}'
+ else
+     eval '
+ 	_start_test() {
+-	    echo "* $*"
++	    printf "* %s -- " "$*"
+ 	}'
+ fi
+ 

patch-CVE-2018-1000156.patch

@@ -1,6 +1,19 @@
-diff -up patch-2.7.6/src/pch.c.CVE-2018-1000156 patch-2.7.6/src/pch.c
---- patch-2.7.6/src/pch.c.CVE-2018-1000156	2018-02-03 12:41:49.000000000 +0000
-+++ patch-2.7.6/src/pch.c	2018-05-03 12:50:43.374036905 +0100
+commit 123eaff0d5d1aebe128295959435b9ca5909c26d
+Author: Andreas Gruenbacher <agruen@gnu.org>
+Date:   Fri Apr 6 12:14:49 2018 +0200
+
+    Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)
+    
+    * src/pch.c (do_ed_script): Write ed script to a temporary file instead
+    of piping it to ed: this will cause ed to abort on invalid commands
+    instead of rejecting them and carrying on.
+    * tests/ed-style: New test case.
+    * tests/Makefile.am (TESTS): Add test case.
+
+diff --git a/src/pch.c b/src/pch.c
+index 0c5cc26..4fd5a05 100644
+--- a/src/pch.c
++++ b/src/pch.c
 @@ -33,6 +33,7 @@
  # include <io.h>
  #endif
@@ -9,7 +22,7 @@ diff -up patch-2.7.6/src/pch.c.CVE-2018-1000156 patch-2.7.6/src/pch.c
  
  #define INITHUNKMAX 125			/* initial dynamic allocation size */
  
-@@ -2388,22 +2389,28 @@ do_ed_script (char const *inname, char c
+@@ -2389,24 +2390,28 @@ do_ed_script (char const *inname, char const *outname,
      static char const editor_program[] = EDITOR_PROGRAM;
  
      file_offset beginning_of_this_line;
@@ -17,30 +30,32 @@ diff -up patch-2.7.6/src/pch.c.CVE-2018-1000156 patch-2.7.6/src/pch.c
      size_t chars_read;
 +    FILE *tmpfp = 0;
 +    char const *tmpname;
-+    int tmpfd = -1;
++    int tmpfd;
 +    pid_t pid;
 +
 +    if (! dry_run && ! skip_rest_of_patch)
 +      {
-+       /* Write ed script to a temporary file.  This causes ed to abort on
-+          invalid commands such as when line numbers or ranges exceed the
-+          number of available lines.  When ed reads from a pipe, it rejects
-+          invalid commands and treats the next line as a new command, which
-+          can lead to arbitrary command execution.  */
++	/* Write ed script to a temporary file.  This causes ed to abort on
++	   invalid commands such as when line numbers or ranges exceed the
++	   number of available lines.  When ed reads from a pipe, it rejects
++	   invalid commands and treats the next line as a new command, which
++	   can lead to arbitrary command execution.  */
 +
-+       tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
-+       if (tmpfd == -1)
-+         pfatal ("Can't create temporary file %s", quotearg (tmpname));
-+       tmpfp = fdopen (tmpfd, "w+b");
-+       if (! tmpfp)
-+         pfatal ("Can't open stream for file %s", quotearg (tmpname));
++	tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++	if (tmpfd == -1)
++	  pfatal ("Can't create temporary file %s", quotearg (tmpname));
++	tmpfp = fdopen (tmpfd, "w+b");
++	if (! tmpfp)
++	  pfatal ("Can't open stream for file %s", quotearg (tmpname));
 +      }
  
 -    if (! dry_run && ! skip_rest_of_patch) {
 -	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
--	assert (! inerrno);
--	*outname_needs_removal = true;
--	copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+-	if (inerrno != ENOENT)
+-	  {
+-	    *outname_needs_removal = true;
+-	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+-	  }
 -	sprintf (buf, "%s %s%s", editor_program,
 -		 verbosity == VERBOSE ? "" : "- ",
 -		 outname);
@@ -52,7 +67,7 @@ diff -up patch-2.7.6/src/pch.c.CVE-2018-1000156 patch-2.7.6/src/pch.c
      for (;;) {
  	char ed_command_letter;
  	beginning_of_this_line = file_tell (pfp);
-@@ -2414,14 +2421,14 @@ do_ed_script (char const *inname, char c
+@@ -2417,14 +2422,14 @@ do_ed_script (char const *inname, char const *outname,
  	}
  	ed_command_letter = get_ed_command_letter (buf);
  	if (ed_command_letter) {
@@ -71,7 +86,7 @@ diff -up patch-2.7.6/src/pch.c.CVE-2018-1000156 patch-2.7.6/src/pch.c
  			    write_fatal ();
  		    if (chars_read == 2  &&  strEQ (buf, ".\n"))
  			break;
-@@ -2434,13 +2441,50 @@ do_ed_script (char const *inname, char c
+@@ -2437,13 +2442,49 @@ do_ed_script (char const *inname, char const *outname,
  	    break;
  	}
      }
@@ -90,47 +105,60 @@ diff -up patch-2.7.6/src/pch.c.CVE-2018-1000156 patch-2.7.6/src/pch.c
 +      pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
 +
 +    if (! dry_run && ! skip_rest_of_patch) {
-+       int exclusive = *outname_needs_removal ? 0 : O_EXCL;
-+       *outname_needs_removal = true;
-+       if (inerrno != ENOENT)
-+         {
-+           *outname_needs_removal = true;
-+           copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
-+         }
-+       sprintf (buf, "%s %s%s", editor_program,
-+                verbosity == VERBOSE ? "" : "- ",
-+                outname);
-+       fflush (stdout);
++	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
++	*outname_needs_removal = true;
++	if (inerrno != ENOENT)
++	  {
++	    *outname_needs_removal = true;
++	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++	  }
++	sprintf (buf, "%s %s%s", editor_program,
++		 verbosity == VERBOSE ? "" : "- ",
++		 outname);
++	fflush (stdout);
 +
-+       pid = fork();
-+       if (pid == -1)
-+         pfatal ("Can't fork");
-+       else if (pid == 0)
-+         {
-+           dup2 (tmpfd, 0);
-+           execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
-+           _exit (2);
-+         }
-+       else
-+         {
-+           int wstatus;
-+           if (waitpid (pid, &wstatus, 0) == -1
-+               || ! WIFEXITED (wstatus)
-+               || WEXITSTATUS (wstatus) != 0)
-+             fatal ("%s FAILED", editor_program);
-+         }
++	pid = fork();
++	if (pid == -1)
++	  pfatal ("Can't fork");
++	else if (pid == 0)
++	  {
++	    dup2 (tmpfd, 0);
++	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    _exit (2);
++	  }
++	else
++	  {
++	    int wstatus;
++	    if (waitpid (pid, &wstatus, 0) == -1
++	        || ! WIFEXITED (wstatus)
++		|| WEXITSTATUS (wstatus) != 0)
++	      fatal ("%s FAILED", editor_program);
++	  }
 +    }
 +
 +    fclose (tmpfp);
-+    unlink (tmpname);
-+    free((char*) tmpname);
++    safe_unlink (tmpname);
  
      if (ofp)
        {
-diff -up patch-2.7.6/tests/ed-style.CVE-2018-1000156 patch-2.7.6/tests/ed-style
---- patch-2.7.6/tests/ed-style.CVE-2018-1000156	2018-05-03 12:50:28.988937938 +0100
-+++ patch-2.7.6/tests/ed-style	2018-05-03 12:51:35.841397873 +0100
-@@ -0,0 +1,40 @@
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 6b6df63..16f8693 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -32,6 +32,7 @@ TESTS = \
+ 	crlf-handling \
+ 	dash-o-append \
+ 	deep-directories \
++	ed-style \
+ 	empty-files \
+ 	false-match \
+ 	fifo \
+diff --git a/tests/ed-style b/tests/ed-style
+new file mode 100644
+index 0000000..d8c0689
+--- /dev/null
++++ b/tests/ed-style
+@@ -0,0 +1,41 @@
 +# Copyright (C) 2018 Free Software Foundation, Inc.
 +#
 +# Copying and distribution of this file, with or without modification,
@@ -139,7 +167,7 @@ diff -up patch-2.7.6/tests/ed-style.CVE-2018-1000156 patch-2.7.6/tests/ed-style
 +
 +. $srcdir/test-lib.sh
 +
-+require_cat
++require cat
 +use_local_patch
 +use_tmpdir
 +
@@ -164,46 +192,11 @@ diff -up patch-2.7.6/tests/ed-style.CVE-2018-1000156 patch-2.7.6/tests/ed-style
 +,p
 +EOF
 +
-+check 'patch -e foo -i ed2.diff > /dev/null 2> /dev/null || echo "Status: $?"' <<EOF
++check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF
++?
 +Status: 2
 +EOF
 +
 +check 'cat foo' <<EOF
 +foo
 +EOF
-diff -up patch-2.7.6/tests/Makefile.am.CVE-2018-1000156 patch-2.7.6/tests/Makefile.am
---- patch-2.7.6/tests/Makefile.am.CVE-2018-1000156	2018-05-03 12:50:28.988937938 +0100
-+++ patch-2.7.6/tests/Makefile.am	2018-05-03 12:50:57.340132989 +0100
-@@ -32,6 +32,7 @@ TESTS = \
- 	crlf-handling \
- 	dash-o-append \
- 	deep-directories \
-+	ed-style \
- 	empty-files \
- 	false-match \
- 	fifo \
-diff -up patch-2.7.6/tests/Makefile.in.CVE-2018-1000156 patch-2.7.6/tests/Makefile.in
---- patch-2.7.6/tests/Makefile.in.CVE-2018-1000156	2018-05-03 12:50:28.989937944 +0100
-+++ patch-2.7.6/tests/Makefile.in	2018-05-03 12:51:25.974329992 +0100
-@@ -1308,6 +1308,7 @@ TESTS = \
- 	crlf-handling \
- 	dash-o-append \
- 	deep-directories \
-+	ed-style \
- 	empty-files \
- 	false-match \
- 	fifo \
-@@ -1645,6 +1646,13 @@ empty-files.log: empty-files
- 	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
- 	--log-file $$b.log --trs-file $$b.trs \
- 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-+	"$$tst" $(AM_TESTS_FD_REDIRECT)
-+ed-style.log: empty-files
-+	@p='ed-style'; \
-+	b='ed-style'; \
-+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-+	--log-file $$b.log --trs-file $$b.trs \
-+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
- 	"$$tst" $(AM_TESTS_FD_REDIRECT)
- false-match.log: false-match
- 	@p='false-match'; \

patch.spec

@@ -3,19 +3,34 @@
 Summary: Utility for modifying/upgrading files
 Name: patch
 Version: 2.7.6
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv3+
 URL: http://www.gnu.org/software/patch/patch.html
 Source: ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
-Patch1: patch-CVE-2018-1000156.patch
-Patch2: patch-2.7.6-CVE-2018-6952.patch
-Patch3: patch-2.7.6-abort_when_cleaning_up_fails.patch
-Patch4: patch-2.7.6-CVE-2018-17942.patch
-Patch5: patch-2.7.6-improve_support_for_memory_leak_detection.patch
-Patch6: patch-2.7.6-crash-RLIMIT_NOFILE.patch
-Patch7: patch-2.7.6-CVE-2019-13636-symlinks.patch
-Patch8: patch-2.7.6-avoid_invalid_memory_access.patch
-Patch9: patch-2.7.6-failed_assertion.patch
+Patch0: patch-2.7.6-avoid-set_file_attributes-sign-conversion-warnings.patch
+patch1: patch-2.7.6-test-suite-compatibility-fixes.patch
+Patch2: patch-2.7.6-fix-korn-shell-incompatibility.patch
+Patch3: patch-2.7.6-fix-segfault-with-mangled-rename-patch.patch
+Patch4: patch-2.7.6-allow-input-files-to-be-missing-for-ed-style-patches.patch
+Patch5: patch-CVE-2018-1000156.patch
+Patch6: patch-2.7.6-CVE-2019-13638-invoked-ed-directly-instead-of-using-the-shell.patch
+Patch7: patch-2.7.6-switch-from-fork-execlp-to-execute.patch
+Patch8: patch-2.7.6-cleanups-in-do_ed_script.patch
+Patch9: patch-2.7.6-avoid-warnings-gcc8.patch
+Patch10: patch-2.7.6-check-of-return-value-of-fwrite.patch
+Patch11: patch-2.7.6-fix-ed-style-test-failure.patch
+Patch12: patch-2.7.6-dont-leak-temporary-file-on-failed-ed-style-patch.patch
+Patch13: patch-2.7.6-dont-leak-temporary-file-on-failed-multi-file-ed-style-patch.patch
+Patch14: patch-2.7.6-make-debug-output-more-useful.patch
+Patch15: patch-2.7.6-CVE-2018-6952-fix-swapping-fake-lines-in-pch_swap.patch
+Patch16: patch-2.7.6-improve_support_for_memory_leak_detection.patch
+patch17: patch-2.7.6-skip-ed-test-when-the-ed-utility-is-not-installed.patch
+Patch18: patch-2.7.6-abort_when_cleaning_up_fails.patch
+Patch19: patch-2.7.6-crash-RLIMIT_NOFILE.patch
+Patch20: patch-2.7.6-CVE-2019-13636-symlinks.patch
+Patch21: patch-2.7.6-avoid-invalid-memory-access-in-context-format-diffs.patch
+Patch22: patch-2.7.6-CVE-2018-17942.patch
+Patch23: patch-2.7.6-failed_assertion.patch
 Patch100: patch-selinux.patch
 
 BuildRequires: gcc
@@ -37,19 +52,32 @@ applications.
 
 %prep
 %setup -q
-
+%patch0 -p1 -b .avoid-set_file_attributes-sign-conversion-warnings
+%patch1 -p1 -b .test-suite-compatibility-fixes
+%patch2 -p1 -b .fix-korn-shell-incompatibility
+%patch3 -p1 -b .fix-segfault-with-mangled-rename-patch
+%patch4 -p1 -b .allow-input-files-to-be-missing-for-ed-style-patches
 # CVE-2018-1000156, Malicious patch files cause ed to execute arbitrary commands
-%patch1 -p1 -b .CVE-2018-1000156
-# CVE-2018-6952, Double free of memory
-%patch2 -p1 -b .CVE-2018-6952
-%patch3 -p1 -b .abort_when_cleaning_up_fails
+%patch5 -p1 -b .CVE-2018-1000156
+%patch6 -p1 -b .CVE-2019-13638-invoked-ed-directly-instead-of-using-the-shell
+%patch7 -p1 -b .switch-from-fork-execlp-to-execute
+%patch8 -p1 -b .cleanups-in-do_ed_script
+%patch9 -p1 -b .avoid-warnings-gcc8
+%patch10 -p1 -b .check-of-return-value-of-fwrite
+%patch11 -p1 -b .fix-ed-style-test-failure
+%patch12 -p1 -b .dont-leak-temporary-file-on-failed-ed-style-patch
+%patch13 -p1 -b .dont-leak-temporary-file-on-failed-multi-file-ed-style-patch
+%patch14 -p1 -b .make-debug-output-more-useful
+%patch15 -p1 -b .CVE-2018-6952-fix-swapping-fake-lines-in-pch_swap
+%patch16 -p1 -b .improve_support_for_memory_leak_detection
+%patch17 -p1 -b .skip-ed-test-when-the-ed-utility-is-not-installed
+%patch18 -p1 -b .abort_when_cleaning_up_fails
+%patch19 -p1 -b .crash-RLIMIT_NOFILE
+%patch20 -p1 -b .CVE-2019-13636-symlinks
+%patch21 -p1 -b .avoid-invalid-memory-access-in-context-format-diffs
 # CVE-2018-17942 gnulib: heap-based buffer overflow
-%patch4 -p1 -b .gnulib_buffer_overflow
-%patch5 -p1 -b .improve_support_for_memory_leak_detection
-%patch6 -p1 -b .crash-RLIMIT_NOFILE
-%patch7 -p1 -b .CVE-2019-13636-symlinks
-%patch8 -p1 -b .avoid_invalid_memory_access
-%patch9 -p1 -b .failed_assertion
+%patch22 -p1 -b .CVE-2018-17942-gnulib_buffer_overflow
+%patch23 -p1 -b .failed_assertion
 # SELinux support.
 %patch100 -p1 -b .selinux
 
@@ -58,6 +86,7 @@ CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE"
 %ifarch sparcv9
 CFLAGS=`echo $CFLAGS|sed -e 's|-fstack-protector||g'`
 %endif
+autoreconf
 %configure --disable-silent-rules
 make %{?_smp_mflags}
 
@@ -75,6 +104,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*
 
 %changelog
+* Mon Jul 29 2019 Than Ngo <than@redhat.com> - 2.7.6-11
+- fixed #1733917, CVE-2019-13638 patch: OS shell command injection when processing crafted patch files 
+
 * Wed Jul 24 2019 Than Ngo <than@redhat.com> - 2.7.6-10
 - backported patch, abort when cleaning up fails
 - backported patch, improve support for memory leak detection