new file mode 100644

@@ -0,0 +1,108 @@

+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001

+From: Andreas Gruenbacher <agruen@gnu.org>

+Date: Mon, 15 Jul 2019 16:21:48 +0200

+Subject: Don't follow symlinks unless --follow-symlinks is given

+

+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,

+append_to_file): Unless the --follow-symlinks option is given, open files with

+the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing

+that consistently for input files.

+* src/util.c (create_backup): When creating empty backup files, (re)create them

+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.

+---

+ src/inp.c  | 12 ++++++++++--

+ src/util.c | 14 +++++++++++---

+ 2 files changed, 21 insertions(+), 5 deletions(-)

+

+diff --git a/src/inp.c b/src/inp.c

+index 32d0919..22d7473 100644

+--- a/src/inp.c

+@@ -238,8 +238,13 @@ plan_a (char const *filename)

+     {

+       if (S_ISREG (instat.st_mode))

+         {

+-	  int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);

++	  int flags = O_RDONLY | binary_transput;

+ 	  size_t buffered = 0, n;

++	  int ifd;

++

++	  if (! follow_symlinks)

++	    flags |= O_NOFOLLOW;

++	  ifd = safe_open (filename, flags, 0);

+ 	  if (ifd < 0)

+ 	    pfatal ("can't open file %s", quotearg (filename));

+ 

+@@ -340,6 +345,7 @@ plan_a (char const *filename)

+ static void

+ plan_b (char const *filename)

+ {

++  int flags = O_RDONLY | binary_transput;

+   int ifd;

+   FILE *ifp;

+   int c;

+@@ -353,7 +359,9 @@ plan_b (char const *filename)

+ 

+   if (instat.st_size == 0)

+     filename = NULL_DEVICE;

+-  if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0

++  if (! follow_symlinks)

++    flags |= O_NOFOLLOW;

++  if ((ifd = safe_open (filename, flags, 0)) < 0

+       || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))

+     pfatal ("Can't open file %s", quotearg (filename));

+   if (TMPINNAME_needs_removal)

+diff --git a/src/util.c b/src/util.c

+index 1cc08ba..fb38307 100644

+--- a/src/util.c

+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)

+ 

+ 	  try_makedirs_errno = ENOENT;

+ 	  safe_unlink (bakname);

+-	  while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)

++	  while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)

+ 	    {

+ 	      if (errno != try_makedirs_errno)

+ 		pfatal ("Can't create file %s", quotearg (bakname));

+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,

+ static void

+ copy_to_fd (const char *from, int tofd)

+ {

++  int from_flags = O_RDONLY | O_BINARY;

+   int fromfd;

+   ssize_t i;

+ 

+-  if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)

++  if (! follow_symlinks)

++    from_flags |= O_NOFOLLOW;

++  if ((fromfd = safe_open (from, from_flags, 0)) < 0)

+     pfatal ("Can't reopen file %s", quotearg (from));

+   while ((i = read (fromfd, buf, bufsize)) != 0)

+     {

+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,

+   else

+     {

+       assert (S_ISREG (mode));

++      if (! follow_symlinks)

++	to_flags |= O_NOFOLLOW;

+       tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,

+ 			  to_dir_known_to_exist);

+       copy_to_fd (from, tofd);

+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,

+ void

+ append_to_file (char const *from, char const *to)

+ {

++  int to_flags = O_WRONLY | O_APPEND | O_BINARY;

+   int tofd;

+ 

+-  if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)

++  if (! follow_symlinks)

++    to_flags |= O_NOFOLLOW;

++  if ((tofd = safe_open (to, to_flags, 0)) < 0)

+     pfatal ("Can't reopen file %s", quotearg (to));

+   copy_to_fd (from, tofd);

+   if (close (tofd) != 0)

+-- 

+cgit v1.0-41-gc330

+

new file mode 100644

@@ -0,0 +1,38 @@

+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001

+From: Andreas Gruenbacher <agruen@gnu.org>

+Date: Fri, 6 Apr 2018 19:36:15 +0200

+Subject: Invoke ed directly instead of using the shell

+

+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell

+command to avoid quoting vulnerabilities.

+---

+ src/pch.c | 6 ++----

+ 1 file changed, 2 insertions(+), 4 deletions(-)

+

+diff --git a/src/pch.c b/src/pch.c

+index 4fd5a05..16e001a 100644

+--- a/src/pch.c

+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,

+ 	    *outname_needs_removal = true;

+ 	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);

+ 	  }

+-	sprintf (buf, "%s %s%s", editor_program,

+-		 verbosity == VERBOSE ? "" : "- ",

+-		 outname);

+ 	fflush (stdout);

+ 

+ 	pid = fork();

+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,

+ 	else if (pid == 0)

+ 	  {

+ 	    dup2 (tmpfd, 0);

+-	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);

++	    assert (outname[0] != '!' && outname[0] != '-');

++	    execlp (editor_program, editor_program, "-", outname, (char  *) NULL);

+ 	    _exit (2);

+ 	  }

+ 	else

+-- 

+cgit v1.0-41-gc330

+

@@ -1,7 +1,7 @@

 Summary:        Program for modifying or creating files

 Name:           patch

 Version:        2.7.6

-Release:        3%{?dist}

+Release:        4%{?dist}

 License:        GPLv3+

 URL:            http://www.gnu.org/software/%{name}

 Source0:        ftp://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.gz

@@ -9,6 +9,8 @@ Source0:        ftp://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.gz

 Patch0:		CVE-2018-6951.patch

 Patch1:		CVE-2018-1000156.patch

 Patch2:		CVE-2018-6952.patch

+patch3:         CVE-2019-13636.patch

+Patch4:         CVE-2019-13638.patch

 Group:          Development/Tools

 Vendor:         VMware, Inc.

 Distribution:   Photon

@@ -23,6 +25,8 @@ file typically created by the diff program.

 %patch0	-p1

 %patch1 -p1

 %patch2 -p1

+%patch3 -p1

+%patch4 -p1

 %build

 %configure --disable-silent-rules

@@ -41,6 +45,8 @@ make  %{?_smp_mflags} check

 %{_mandir}/*/*

 %changelog

+*   Thu Aug 08 2019 Shreenidhi Shedi <sshedi@vmware.com> 2.7.6-4

+-   Apply patch for CVE-2019-13636, CVE-2019-13638

 *   Mon Nov 19 2018 Siju Maliakkal <smaliakkal@vmware.com> 2.7.6-3

 -   Add patches for CVE-2018-6951,CVE-2018-1000156,CVE-2018-6952

 *   Tue Oct 2 2018 Michelle Wang <michellew@vmware.com> 2.7.6-2