File _service:tar_scm:CVE-2018-20969-and-CVE-2019-13... of Package patch

File _service:tar_scm:CVE-2018-20969-and-CVE-2019-13638.patch of Package patch

From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Fri Apr 06 20:50:06 2018
From: Andreas Gruenbacher <agruen@gnu.org>
Date: Fri, 06 Apr 2018 19:36:15 +0200
Subject: [PATCH] Invoke ed directly instead of using the shell
* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
command to avoid quoting vulnerabilities.

fix CVE-2019-13638  CVE-2018-20969

https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0

---
 src/pch.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/pch.c b/src/pch.c
index a602cbb..250308d 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -2471,9 +2471,6 @@ do_ed_script (char const *inname, char const *outname,
            *outname_needs_removal = true;
            copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
          }
-       sprintf (buf, "%s %s%s", editor_program,
-                verbosity == VERBOSE ? "" : "- ",
-                outname);
        fflush (stdout);

pid = fork();
@@ -2482,7 +2479,8 @@ do_ed_script (char const *inname, char const *outname,
        else if (pid == 0)
          {
            dup2 (tmpfd, 0);
-           execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
+           assert (outname[0] != '!' && outname[0] != '-');
+           execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
            _exit (2);
          }
        else
--
1.8.3.1