From f13c65d14bce169734f30e96068717bd97043316 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 17 2019 08:44:46 +0000
Subject: import patch-2.7.6-9.el8_0


---

diff --git a/SOURCES/patch-2.7.6-CVE-2018-20969.patch b/SOURCES/patch-2.7.6-CVE-2018-20969.patch
new file mode 100644
index 0000000..f14cce7
--- /dev/null
+++ b/SOURCES/patch-2.7.6-CVE-2018-20969.patch
@@ -0,0 +1,23 @@
+diff -up patch-2.7.6/src/pch.c.CVE-2018-20969 patch-2.7.6/src/pch.c
+--- patch-2.7.6/src/pch.c.CVE-2018-20969	2019-09-02 15:40:09.087994204 +0200
++++ patch-2.7.6/src/pch.c	2019-09-02 15:42:23.486485786 +0200
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char c
+ 	    *outname_needs_removal = true;
+ 	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ 	  }
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+ 	fflush (stdout);
+ 
+ 	pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char c
+ 	else if (pid == 0)
+ 	  {
+ 	    dup2 (tmpfd, 0);
+-	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    assert (outname[0] != '!' && outname[0] != '-');
++	    execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
+ 	    _exit (2);
+ 	  }
+ 	else
diff --git a/SPECS/patch.spec b/SPECS/patch.spec
index 0adcd82..e383c64 100644
--- a/SPECS/patch.spec
+++ b/SPECS/patch.spec
@@ -3,7 +3,7 @@
 Summary: Utility for modifying/upgrading files
 Name: patch
 Version: 2.7.6
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv3+
 URL: http://www.gnu.org/software/patch/patch.html
 Group: Development/Tools
@@ -12,6 +12,7 @@ Patch1: patch-2.7.6-CVE-2018-6951.patch
 Patch2: patch-CVE-2018-1000156.patch
 Patch3: patch-2.7.6-gcc8.patch
 Patch4: patch-2.7.6-CVE-2018-6952.patch
+Patch5: patch-2.7.6-CVE-2018-20969.patch
 Patch100: patch-selinux.patch
 BuildRequires: libselinux-devel
 BuildRequires: libattr-devel
@@ -45,6 +46,9 @@ applications.
 # CVE-2018-6952, Double free of memory
 %patch4 -p1 -b .CVE-2018-6952
 
+# CVE-2018-20969, do_ed_script in pch.c does not block strings beginning with a ! character
+%patch5 -p1 -b .CVE-2018-20969
+
 # SELinux support.
 %patch100 -p1 -b .selinux
 
@@ -71,6 +75,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*
 
 %changelog
+* Mon Sep 02 2019 Than Ngo <than@redhat.com> - 2.7.6-9
+- CVE-2018-20969, invoke ed directly instead of using the shell
+
 * Tue Nov 27 2018 Than Ngo <than@redhat.com> - 2.7.6-8
 - Added virtual provides for bundled gnulib library