Errata overview
Errata ID 554
Date 2019-07-31
Source package patch
Fixed in version 2.7.5-1+deb9u2
This update addresses the following issues:
* The following of symlinks in inp.c and util.c is mishandled in cases other
  than input files (CVE-2019-13636)
* GNU patch through 2.7.6 is vulnerable to OS shell command injection that
  can be exploited by opening a crafted patch file that contains an ed style
  diff payload with shell metacharacters. The ed editor does not need to be
  present on the vulnerable system. This is different from CVE-2018-1000156.
Additional notes
CVE ID CVE-2019-13636
UCS Bug number #49936