QID 671067

The patch program applies diff files to originals.
The diff command is used to compare an original to a changed file.
Diff lists the changes made to the file.
A person who has the original file can then use the patch command with the diff file to add the changes to their original file (patching the file).
Patch should be installed because it is a common way of upgrading applications.
Security fix(es): an issue was discovered in gnu patch before 2.7.6.
Out-of-bounds access within pch_write_line() in pch.c can possibly lead to dos via a crafted input file.(cve-2016-10713) do_ed_script in pch.c in gnu patch through 2.7.6 does not block strings beginning with a !
Character.
Note: this is the same commit as for cve-2019-13638, but the !
Syntax is specific to ed, and is unrelated to a shell metacharacter.(cve-2018-20969) gnu patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.(cve-2015-1196) gnu patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file.(cve-2014-9637) gnu patch through 2.7.6 is vulnerable to os shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters.
The ed editor does not need to be present on the vulnerable system.
This is different from cve-2018-1000156.(cve-2019-13638)

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

An arbitrary attacker may exploit this vulnerability to compromise the system.