From 75ce224995807069da878465cec8452ec41f8d67 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 03 2019 13:27:17 +0000
Subject: import patch-2.7.1-12.el7_7


---

diff --git a/SOURCES/patch-2.7.x-CVE-2018-20969.patch b/SOURCES/patch-2.7.x-CVE-2018-20969.patch
new file mode 100644
index 0000000..43c565b
--- /dev/null
+++ b/SOURCES/patch-2.7.x-CVE-2018-20969.patch
@@ -0,0 +1,23 @@
+diff -up patch-2.7.1/src/pch.c.orig patch-2.7.1/src/pch.c
+--- patch-2.7.1/src/pch.c.orig	2019-09-02 10:01:18.283754723 +0200
++++ patch-2.7.1/src/pch.c	2019-09-02 10:03:31.742214005 +0200
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char c
+            *outname_needs_removal = true;
+            copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+          }
+-       sprintf (buf, "%s %s%s", editor_program,
+-                verbosity == VERBOSE ? "" : "- ",
+-                outname);
+        fflush (stdout);
+ 
+        pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char c
+        else if (pid == 0)
+          {
+            dup2 (tmpfd, 0);
+-           execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++           assert (outname[0] != '!' && outname[0] != '-');
++           execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
+            _exit (2);
+          }
+        else
diff --git a/SPECS/patch.spec b/SPECS/patch.spec
index f73c83f..ed209f2 100644
--- a/SPECS/patch.spec
+++ b/SPECS/patch.spec
@@ -3,7 +3,7 @@
 Summary: Utility for modifying/upgrading files
 Name: patch
 Version: 2.7.1
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv3+
 URL: http://www.gnu.org/software/patch/patch.html
 Group: Development/Tools
@@ -15,6 +15,9 @@ Patch4: patch-2.7.1-CVE-2018-1000156.patch
 Patch5: patch-2.7.1-CVE-2016-10713.patch
 Patch6: patch-2.7.1-CVE-2018-6952.patch
 Patch7: patch-2.7.1-newmode.patch
+# CVE-2018-20969, Invoke ed directly instead of using the shell
+Patch8: patch-2.7.x-CVE-2018-20969.patch
+# Selinux
 Patch100: patch-selinux.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -59,6 +62,9 @@ applications.
 # honor the new file mode
 %patch7 -p1 -b .newmode
 
+# CVE-2018-20969, Invoke ed directly instead of using the shell
+%patch8 -p1 -b .CVE-2018-20969
+
 # SELinux support.
 %patch100 -p1 -b .selinux
 
@@ -87,6 +93,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*
 
 %changelog
+* Mon Sep 02 2019 Than Ngo <than@redhat.com> - 2.7.1-12
+- Fixed CVE-2018-20969, invoke ed directly instead of using the shell
+
 * Thu Nov 22 2018 Than Ngo <than@redhat.com> - 2.7.1-11
 - Fixed CVE-2016-10713 - Out-of-bounds access in pch_write_line function 
 - Fixed CVE-2018-6952 - Double free of memory