diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b016cef
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/patch-2.7.6.tar.xz
diff --git a/.patch.metadata b/.patch.metadata
new file mode 100644
index 0000000..5380928
--- /dev/null
+++ b/.patch.metadata
@@ -0,0 +1 @@
+6f64fa75993bdb285ac4ed6eca6c9212725bff91 SOURCES/patch-2.7.6.tar.xz
diff --git a/SOURCES/patch-2.7.6-CVE-2018-6951.patch b/SOURCES/patch-2.7.6-CVE-2018-6951.patch
new file mode 100644
index 0000000..770e91c
--- /dev/null
+++ b/SOURCES/patch-2.7.6-CVE-2018-6951.patch
@@ -0,0 +1,13 @@
+diff -up patch-2.7.6/src/pch.c.than patch-2.7.6/src/pch.c
+--- patch-2.7.6/src/pch.c.than 2018-03-13 11:12:44.726307967 +0100
++++ patch-2.7.6/src/pch.c 2018-03-13 11:13:34.203449789 +0100
+@@ -976,7 +976,8 @@ intuit_diff_type (bool need_header, mode
+ if ((pch_rename () || pch_copy ())
+ && ! inname
+ && ! ((i == OLD || i == NEW) &&
+- p_name[! reverse] &&
++ p_name[reverse] && p_name[! reverse] &&
++ name_is_valid (p_name[reverse]) &&
+ name_is_valid (p_name[! reverse])))
+ {
+ say ("Cannot %s file without two valid file names\n", pch_rename () ? "rename" : "copy");
diff --git a/SOURCES/patch-2.7.6-CVE-2018-6952.patch b/SOURCES/patch-2.7.6-CVE-2018-6952.patch
new file mode 100644
index 0000000..4e93f93
--- /dev/null
+++ b/SOURCES/patch-2.7.6-CVE-2018-6952.patch
@@ -0,0 +1,13 @@
+diff --git a/src/pch.c b/src/pch.c
+index e92bc64..a500ad9 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2122,7 +2122,7 @@ pch_swap (void)
+ }
+ if (p_efake >= 0) { /* fix non-freeable ptr range */
+ if (p_efake <= i)
+- n = p_end - i + 1;
++ n = p_end - p_ptrn_lines;
+ else
+ n = -i;
+ p_efake += n;
diff --git a/SOURCES/patch-2.7.6-gcc8.patch b/SOURCES/patch-2.7.6-gcc8.patch
new file mode 100644
index 0000000..9a96878
--- /dev/null
+++ b/SOURCES/patch-2.7.6-gcc8.patch
@@ -0,0 +1,58 @@
+diff -up patch-2.7.6/.me.orig patch-2.7.6/.me
+diff -up patch-2.7.6/src/common.h.orig patch-2.7.6/src/common.h
+--- patch-2.7.6/src/common.h.orig 2018-06-18 17:20:49.661363500 +0200
++++ patch-2.7.6/src/common.h 2018-06-18 17:22:21.505841527 +0200
+@@ -221,3 +221,11 @@ bool merge_hunk (int hunk, struct outsta
+ #else
+ # define merge_hunk(hunk, outstate, where, somefailed) false
+ #endif
++
++#ifndef FALLTHROUGH
++# if __GNUC__ < 7
++# define FALLTHROUGH ((void) 0)
++# else
++# define FALLTHROUGH __attribute__ ((__fallthrough__))
++# endif
++#endif
+diff -up patch-2.7.6/src/patch.c.orig patch-2.7.6/src/patch.c
+--- patch-2.7.6/src/patch.c.orig 2018-06-18 17:20:49.662363506 +0200
++++ patch-2.7.6/src/patch.c 2018-06-18 17:22:21.507841538 +0200
+@@ -1381,7 +1381,7 @@ abort_hunk_context (bool header, bool re
+ break;
+ case ' ': case '-': case '+': case '!':
+ fprintf (rejfp, "%c ", pch_char (i));
+- /* fall into */
++ FALLTHROUGH;
+ case '\n':
+ pch_write_line (i, rejfp);
+ break;
+diff -up patch-2.7.6/src/pch.c.orig patch-2.7.6/src/pch.c
+--- patch-2.7.6/src/pch.c.orig 2018-06-18 17:20:49.662363506 +0200
++++ patch-2.7.6/src/pch.c 2018-06-18 17:24:00.694357762 +0200
+@@ -1742,7 +1742,7 @@ another_hunk (enum diff difftype, bool r
+ break;
+ case '=':
+ ch = ' ';
+- /* FALL THROUGH */
++ FALLTHROUGH;
+ case ' ':
+ if (fillsrc > p_ptrn_lines) {
+ free(s);
+@@ -1763,7 +1763,7 @@ another_hunk (enum diff difftype, bool r
+ p_end = fillsrc-1;
+ return -1;
+ }
+- /* FALL THROUGH */
++ FALLTHROUGH;
+ case '+':
+ if (filldst > p_end) {
+ free(s);
+@@ -2401,7 +2401,7 @@ do_ed_script (char const *inname, char c
+ size_t chars_read;
+ FILE *tmpfp = 0;
+ char const *tmpname;
+- int tmpfd;
++ int tmpfd = -1; /* placate gcc's -Wmaybe-uninitialized */
+ pid_t pid;
+
+ if (! dry_run && ! skip_rest_of_patch)
diff --git a/SOURCES/patch-CVE-2018-1000156.patch b/SOURCES/patch-CVE-2018-1000156.patch
new file mode 100644
index 0000000..ae132c8
--- /dev/null
+++ b/SOURCES/patch-CVE-2018-1000156.patch
@@ -0,0 +1,209 @@
+diff -up patch-2.7.6/src/pch.c.CVE-2018-1000156 patch-2.7.6/src/pch.c
+--- patch-2.7.6/src/pch.c.CVE-2018-1000156 2018-06-19 10:10:41.407826617 +0200
++++ patch-2.7.6/src/pch.c 2018-06-19 10:11:01.200927524 +0200
+@@ -33,6 +33,7 @@
+ # include <io.h>
+ #endif
+ #include <safe.h>
++#include <sys/wait.h>
+
+ #define INITHUNKMAX 125 /* initial dynamic allocation size */
+
+@@ -2389,22 +2390,28 @@ do_ed_script (char const *inname, char c
+ static char const editor_program[] = EDITOR_PROGRAM;
+
+ file_offset beginning_of_this_line;
+- FILE *pipefp = 0;
+ size_t chars_read;
++ FILE *tmpfp = 0;
++ char const *tmpname;
++ int tmpfd;
++ pid_t pid;
++
++ if (! dry_run && ! skip_rest_of_patch)
++ {
++ /* Write ed script to a temporary file. This causes ed to abort on
++ invalid commands such as when line numbers or ranges exceed the
++ number of available lines. When ed reads from a pipe, it rejects
++ invalid commands and treats the next line as a new command, which
++ can lead to arbitrary command execution. */
++
++ tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++ if (tmpfd == -1)
++ pfatal ("Can't create temporary file %s", quotearg (tmpname));
++ tmpfp = fdopen (tmpfd, "w+b");
++ if (! tmpfp)
++ pfatal ("Can't open stream for file %s", quotearg (tmpname));
++ }
+
+- if (! dry_run && ! skip_rest_of_patch) {
+- int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+- assert (! inerrno);
+- *outname_needs_removal = true;
+- copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+- sprintf (buf, "%s %s%s", editor_program,
+- verbosity == VERBOSE ? "" : "- ",
+- outname);
+- fflush (stdout);
+- pipefp = popen(buf, binary_transput ? "wb" : "w");
+- if (!pipefp)
+- pfatal ("Can't open pipe to %s", quotearg (buf));
+- }
+ for (;;) {
+ char ed_command_letter;
+ beginning_of_this_line = file_tell (pfp);
+@@ -2415,14 +2422,14 @@ do_ed_script (char const *inname, char c
+ }
+ ed_command_letter = get_ed_command_letter (buf);
+ if (ed_command_letter) {
+- if (pipefp)
+- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++ if (tmpfp)
++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ write_fatal ();
+ if (ed_command_letter != 'd' && ed_command_letter != 's') {
+ p_pass_comments_through = true;
+ while ((chars_read = get_line ()) != 0) {
+- if (pipefp)
+- if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++ if (tmpfp)
++ if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ write_fatal ();
+ if (chars_read == 2 && strEQ (buf, ".\n"))
+ break;
+@@ -2435,13 +2442,50 @@ do_ed_script (char const *inname, char c
+ break;
+ }
+ }
+- if (!pipefp)
++ if (!tmpfp)
+ return;
+- if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0
+- || fflush (pipefp) != 0)
++ if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
++ || fflush (tmpfp) != 0)
+ write_fatal ();
+- if (pclose (pipefp) != 0)
+- fatal ("%s FAILED", editor_program);
++
++ if (lseek (tmpfd, 0, SEEK_SET) == -1)
++ pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
++
++ if (! dry_run && ! skip_rest_of_patch) {
++ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
++ *outname_needs_removal = true;
++ if (inerrno != ENOENT)
++ {
++ *outname_needs_removal = true;
++ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++ }
++ sprintf (buf, "%s %s%s", editor_program,
++ verbosity == VERBOSE ? "" : "- ",
++ outname);
++ fflush (stdout);
++
++ pid = fork();
++ if (pid == -1)
++ pfatal ("Can't fork");
++ else if (pid == 0)
++ {
++ dup2 (tmpfd, 0);
++ execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++ _exit (2);
++ }
++ else
++ {
++ int wstatus;
++ if (waitpid (pid, &wstatus, 0) == -1
++ || ! WIFEXITED (wstatus)
++ || WEXITSTATUS (wstatus) != 0)
++ fatal ("%s FAILED", editor_program);
++ }
++ }
++
++ fclose (tmpfp);
++ safe_unlink (tmpname);
++ free((char*) tmpname);
+
+ if (ofp)
+ {
+diff -up patch-2.7.6/tests/ed-style.CVE-2018-1000156 patch-2.7.6/tests/ed-style
+--- patch-2.7.6/tests/ed-style.CVE-2018-1000156 2018-06-19 10:10:41.409826627 +0200
++++ patch-2.7.6/tests/ed-style 2018-06-19 11:28:43.354641294 +0200
+@@ -0,0 +1,40 @@
++# Copyright (C) 2018 Free Software Foundation, Inc.
++#
++# Copying and distribution of this file, with or without modification,
++# in any medium, are permitted without royalty provided the copyright
++# notice and this notice are preserved.
++
++. $srcdir/test-lib.sh
++
++require cat
++use_local_patch
++use_tmpdir
++
++# ==============================================================
++
++cat > ed1.diff <<EOF
++0a
++foo
++.
++EOF
++
++check 'patch -e foo -i ed1.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
++
++cat > ed2.diff <<EOF
++1337a
++r !echo bar
++,p
++EOF
++
++check 'patch -e foo -i ed2.diff > /dev/null 2> /dev/null || echo "Status: $?"' <<EOF
++Status: 2
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
+diff -up patch-2.7.6/tests/Makefile.am.CVE-2018-1000156 patch-2.7.6/tests/Makefile.am
+--- patch-2.7.6/tests/Makefile.am.CVE-2018-1000156 2018-02-03 13:41:49.000000000 +0100
++++ patch-2.7.6/tests/Makefile.am 2018-06-19 10:10:41.409826627 +0200
+@@ -32,6 +32,7 @@ TESTS = \
+ crlf-handling \
+ dash-o-append \
+ deep-directories \
++ ed-style \
+ empty-files \
+ false-match \
+ fifo \
+diff -up patch-2.7.6/tests/Makefile.in.CVE-2018-1000156 patch-2.7.6/tests/Makefile.in
+--- patch-2.7.6/tests/Makefile.in.CVE-2018-1000156 2018-02-03 14:33:56.000000000 +0100
++++ patch-2.7.6/tests/Makefile.in 2018-06-19 10:10:41.409826627 +0200
+@@ -1308,6 +1308,7 @@ TESTS = \
+ crlf-handling \
+ dash-o-append \
+ deep-directories \
++ ed-style \
+ empty-files \
+ false-match \
+ fifo \
+@@ -1645,6 +1646,13 @@ empty-files.log: empty-files
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
++ "$$tst" $(AM_TESTS_FD_REDIRECT)
++ed-style.log: empty-files
++ @p='ed-style'; \
++ b='ed-style'; \
++ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
++ --log-file $$b.log --trs-file $$b.trs \
++ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+ false-match.log: false-match
+ @p='false-match'; \
diff --git a/SOURCES/patch-selinux.patch b/SOURCES/patch-selinux.patch
new file mode 100644
index 0000000..7c16a1a
--- /dev/null
+++ b/SOURCES/patch-selinux.patch
@@ -0,0 +1,326 @@
+diff -up patch-2.7.6/src/common.h.selinux patch-2.7.6/src/common.h
+--- patch-2.7.6/src/common.h.selinux 2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/common.h 2018-02-12 12:29:44.415225377 +0000
+@@ -30,6 +30,8 @@
+ #include <sys/types.h>
+ #include <time.h>
+
++#include <selinux/selinux.h>
++
+ #include <sys/stat.h>
+
+ #include <limits.h>
+@@ -84,6 +86,7 @@ XTERN char *outfile;
+ XTERN int inerrno;
+ XTERN int invc;
+ XTERN struct stat instat;
++XTERN security_context_t incontext;
+ XTERN bool dry_run;
+ XTERN bool posixly_correct;
+
+diff -up patch-2.7.6/src/inp.c.selinux patch-2.7.6/src/inp.c
+--- patch-2.7.6/src/inp.c.selinux 2017-09-04 12:34:16.000000000 +0100
++++ patch-2.7.6/src/inp.c 2018-02-12 12:29:44.415225377 +0000
+@@ -145,7 +145,7 @@ get_input_file (char const *filename, ch
+ char *getbuf;
+
+ if (inerrno == -1)
+- inerrno = stat_file (filename, &instat);
++ inerrno = stat_file (filename, &instat, &incontext);
+
+ /* Perhaps look for RCS or SCCS versions. */
+ if (S_ISREG (file_type)
+@@ -190,7 +190,7 @@ get_input_file (char const *filename, ch
+ }
+
+ if (cs && version_get (filename, cs, ! inerrno, elsewhere, getbuf,
+- &instat))
++ &instat, &incontext))
+ inerrno = 0;
+
+ free (getbuf);
+@@ -201,6 +201,7 @@ get_input_file (char const *filename, ch
+ {
+ instat.st_mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
+ instat.st_size = 0;
++ incontext = NULL;
+ }
+ else if (! ((S_ISREG (file_type) || S_ISLNK (file_type))
+ && (file_type & S_IFMT) == (instat.st_mode & S_IFMT)))
+diff -up patch-2.7.6/src/Makefile.am.selinux patch-2.7.6/src/Makefile.am
+--- patch-2.7.6/src/Makefile.am.selinux 2017-09-04 12:34:16.000000000 +0100
++++ patch-2.7.6/src/Makefile.am 2018-02-12 12:29:44.415225377 +0000
+@@ -37,7 +37,7 @@ patch_SOURCES = \
+
+ AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib
+ patch_LDADD = $(LDADD) $(top_builddir)/lib/libpatch.a $(LIB_CLOCK_GETTIME) \
+- $(LIB_XATTR) $(LIB_EACCESS)
++ $(LIB_XATTR) $(LIB_EACCESS) -lselinux
+
+ if ENABLE_MERGE
+ patch_SOURCES += merge.c
+diff -up patch-2.7.6/src/Makefile.in.selinux patch-2.7.6/src/Makefile.in
+--- patch-2.7.6/src/Makefile.in.selinux 2018-02-03 13:33:56.000000000 +0000
++++ patch-2.7.6/src/Makefile.in 2018-02-12 12:29:44.415225377 +0000
+@@ -1147,7 +1147,7 @@ patch_SOURCES = bestmatch.h common.h inp
+ AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib \
+ $(am__append_2)
+ patch_LDADD = $(LDADD) $(top_builddir)/lib/libpatch.a $(LIB_CLOCK_GETTIME) \
+- $(LIB_XATTR) $(LIB_EACCESS)
++ $(LIB_XATTR) $(LIB_EACCESS) -lselinux
+
+ all: all-am
+
+diff -up patch-2.7.6/src/patch.c.selinux patch-2.7.6/src/patch.c
+--- patch-2.7.6/src/patch.c.selinux 2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/patch.c 2018-02-12 12:30:27.315164138 +0000
+@@ -269,19 +269,19 @@ main (int argc, char **argv)
+ if (! strcmp (inname, outname))
+ {
+ if (inerrno == -1)
+- inerrno = stat_file (inname, &instat);
++ inerrno = stat_file (inname, &instat, NULL);
+ outstat = instat;
+ outerrno = inerrno;
+ }
+ else
+- outerrno = stat_file (outname, &outstat);
++ outerrno = stat_file (outname, &outstat, NULL);
+
+ if (! outerrno)
+ {
+ if (has_queued_output (&outstat))
+ {
+ output_files (&outstat);
+- outerrno = stat_file (outname, &outstat);
++ outerrno = stat_file (outname, &outstat, NULL);
+ inerrno = -1;
+ }
+ if (! outerrno)
+@@ -598,7 +598,7 @@ main (int argc, char **argv)
+ }
+ else
+ {
+- attr |= FA_IDS | FA_MODE | FA_XATTRS;
++ attr |= FA_IDS | FA_MODE | FA_XATTRS | FA_SECCONTEXT;
+ set_file_attributes (TMPOUTNAME, attr, inname, &instat,
+ mode, &new_time);
+ }
+@@ -658,7 +658,7 @@ main (int argc, char **argv)
+ struct stat oldst;
+ int olderrno;
+
+- olderrno = stat_file (rej, &oldst);
++ olderrno = stat_file (rej, &oldst, NULL);
+ if (olderrno && olderrno != ENOENT)
+ write_fatal ();
+ if (! olderrno && lookup_file_id (&oldst) == CREATED)
+@@ -1790,7 +1790,7 @@ delete_file_later (const char *name, con
+
+ if (! st)
+ {
+- if (stat_file (name, &st_tmp) != 0)
++ if (stat_file (name, &st_tmp, NULL) != 0)
+ pfatal ("Can't get file attributes of %s %s", "file", name);
+ st = &st_tmp;
+ }
+diff -up patch-2.7.6/src/pch.c.selinux patch-2.7.6/src/pch.c
+--- patch-2.7.6/src/pch.c.selinux 2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/pch.c 2018-02-12 12:29:44.416225375 +0000
+@@ -1,6 +1,6 @@
+ /* reading patches */
+
+-/* Copyright (C) 1986, 1987, 1988 Larry Wall
++/* Copyright (C) 1986, 1987, 1988, 2012 Larry Wall
+
+ Copyright (C) 1990-1993, 1997-2003, 2006, 2009-2012 Free Software
+ Foundation, Inc.
+@@ -296,7 +296,7 @@ there_is_another_patch (bool need_header
+ if (t > buf + 1 && *(t - 1) == '\n')
+ {
+ inname = xmemdup0 (buf, t - buf - 1);
+- inerrno = stat_file (inname, &instat);
++ inerrno = stat_file (inname, &instat, &incontext);
+ if (inerrno)
+ {
+ perror (inname);
+@@ -433,6 +433,7 @@ intuit_diff_type (bool need_header, mode
+ bool extended_headers = false;
+ enum nametype i;
+ struct stat st[3];
++ security_context_t con[3];
+ int stat_errno[3];
+ int version_controlled[3];
+ enum diff retval;
+@@ -473,6 +474,7 @@ intuit_diff_type (bool need_header, mode
+ version_controlled[OLD] = -1;
+ version_controlled[NEW] = -1;
+ version_controlled[INDEX] = -1;
++ con[OLD] = con[NEW] = con[INDEX] = NULL;
+ p_rfc934_nesting = 0;
+ p_timestamp[OLD].tv_sec = p_timestamp[NEW].tv_sec = -1;
+ p_says_nonexistent[OLD] = p_says_nonexistent[NEW] = 0;
+@@ -883,7 +885,7 @@ intuit_diff_type (bool need_header, mode
+ }
+ else
+ {
+- stat_errno[i] = stat_file (p_name[i], &st[i]);
++ stat_errno[i] = stat_file (p_name[i], &st[i], &con[i]);
+ if (! stat_errno[i])
+ {
+ if (lookup_file_id (&st[i]) == DELETE_LATER)
+@@ -922,7 +924,7 @@ intuit_diff_type (bool need_header, mode
+ if (cs)
+ {
+ if (version_get (p_name[i], cs, false, readonly,
+- getbuf, &st[i]))
++ getbuf, &st[i], &con[i]))
+ stat_errno[i] = 0;
+ else
+ version_controlled[i] = 0;
+@@ -985,7 +987,7 @@ intuit_diff_type (bool need_header, mode
+ {
+ if (inname)
+ {
+- inerrno = stat_file (inname, &instat);
++ inerrno = stat_file (inname, &instat, &incontext);
+ if (inerrno || (instat.st_mode & S_IFMT) == file_type)
+ maybe_reverse (inname, inerrno, inerrno || instat.st_size == 0);
+ }
+@@ -998,8 +1000,14 @@ intuit_diff_type (bool need_header, mode
+ inerrno = stat_errno[i];
+ invc = version_controlled[i];
+ instat = st[i];
++ incontext = con[i];
++ con[i] = NULL;
+ }
+
++ for (i = OLD; i <= INDEX; i++)
++ if (con[i])
++ freecon (con[i]);
++
+ return retval;
+ }
+
+diff -up patch-2.7.6/src/util.c.selinux patch-2.7.6/src/util.c
+--- patch-2.7.6/src/util.c.selinux 2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/util.c 2018-02-12 12:29:44.417225374 +0000
+@@ -300,6 +300,23 @@ set_file_attributes (char const *to, enu
+ S_ISLNK (mode) ? "symbolic link" : "file",
+ quotearg (to));
+ }
++ if (attr & FA_SECCONTEXT)
++ {
++ security_context_t outcontext;
++ if (incontext && getfilecon (to, &outcontext) != -1 && outcontext)
++ {
++ if (strcmp (outcontext, incontext) &&
++ setfilecon (to, incontext) != 0)
++ {
++ freecon (outcontext);
++ if (errno != ENOTSUP && errno != EPERM)
++ pfatal ("Can't set security context on file %s",
++ quotearg (to));
++ }
++ else
++ freecon (outcontext);
++ }
++ }
+ }
+
+ static void
+@@ -446,7 +463,7 @@ move_file (char const *from, bool *from_
+ struct stat to_st;
+ int to_errno;
+
+- to_errno = stat_file (to, &to_st);
++ to_errno = stat_file (to, &to_st, NULL);
+ if (backup)
+ create_backup (to, to_errno ? NULL : &to_st, false);
+ if (! to_errno)
+@@ -818,7 +835,8 @@ version_controller (char const *filename
+ Return true if successful. */
+ bool
+ version_get (char const *filename, char const *cs, bool exists, bool readonly,
+- char const *getbuf, struct stat *filestat)
++ char const *getbuf, struct stat *filestat,
++ security_context_t *filecontext)
+ {
+ if (patch_get < 0)
+ {
+@@ -843,6 +861,13 @@ version_get (char const *filename, char
+ fatal ("Can't get file %s from %s", quotearg (filename), cs);
+ if (safe_stat (filename, filestat) != 0)
+ pfatal ("%s", quotearg (filename));
++ if (filecontext && getfilecon (filename, filecontext) == -1)
++ {
++ if (errno == ENODATA || errno == ENOTSUP)
++ *filecontext = NULL;
++ else
++ pfatal ("%s", quotearg (filename));
++ }
+ }
+
+ return 1;
+@@ -1670,12 +1695,28 @@ make_tempfile (char const **name, char l
+ return fd;
+ }
+
+-int stat_file (char const *filename, struct stat *st)
++int stat_file (char const *filename, struct stat *st, security_context_t *con)
+ {
+ int (*xstat)(char const *, struct stat *) =
+ follow_symlinks ? safe_stat : safe_lstat;
++ int (*xgetfilecon)(char const *, security_context_t *) =
++ follow_symlinks ? getfilecon : lgetfilecon;
++
++ if (xstat (filename, st) == 0)
++ {
++ if (con)
++ {
++ if (xgetfilecon (filename, con) != -1 ||
++ errno == ENODATA || errno == ENOTSUP)
++ return 0;
+
+- return xstat (filename, st) == 0 ? 0 : errno;
++ *con = NULL;
++ }
++ else
++ return 0;
++ }
++
++ return errno;
+ }
+
+ /* Check if a filename is relative and free of ".." components.
+diff -up patch-2.7.6/src/util.h.selinux patch-2.7.6/src/util.h
+--- patch-2.7.6/src/util.h.selinux 2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/util.h 2018-02-12 12:30:08.533190949 +0000
+@@ -44,7 +44,7 @@ char *parse_name (char const *, int, cha
+ char *savebuf (char const *, size_t);
+ char *savestr (char const *);
+ char const *version_controller (char const *, bool, struct stat const *, char **, char **);
+-bool version_get (char const *, char const *, bool, bool, char const *, struct stat *);
++bool version_get (char const *, char const *, bool, bool, char const *, struct stat *, security_context_t *);
+ int create_file (char const *, int, mode_t, bool);
+ int systemic (char const *);
+ char *format_linenum (char[LINENUM_LENGTH_BOUND + 1], lin);
+@@ -67,7 +67,7 @@ void insert_file_id (struct stat const *
+ enum file_id_type lookup_file_id (struct stat const *);
+ void set_queued_output (struct stat const *, bool);
+ bool has_queued_output (struct stat const *);
+-int stat_file (char const *, struct stat *);
++int stat_file (char const *, struct stat *, security_context_t *);
+ bool filename_is_safe (char const *) _GL_ATTRIBUTE_PURE;
+ bool cwd_is_root (char const *);
+
+@@ -75,7 +75,8 @@ enum file_attributes {
+ FA_TIMES = 1,
+ FA_IDS = 2,
+ FA_MODE = 4,
+- FA_XATTRS = 8
++ FA_XATTRS = 8,
++ FA_SECCONTEXT = 16
+ };
+
+ void set_file_attributes (char const *, enum file_attributes, char const *,
diff --git a/SPECS/patch.spec b/SPECS/patch.spec
new file mode 100644
index 0000000..0adcd82
--- /dev/null
+++ b/SPECS/patch.spec
@@ -0,0 +1,402 @@
+%global gnulib_ver 20180203
+
+Summary: Utility for modifying/upgrading files
+Name: patch
+Version: 2.7.6
+Release: 8%{?dist}
+License: GPLv3+
+URL: http://www.gnu.org/software/patch/patch.html
+Group: Development/Tools
+Source: ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
+Patch1: patch-2.7.6-CVE-2018-6951.patch
+Patch2: patch-CVE-2018-1000156.patch
+Patch3: patch-2.7.6-gcc8.patch
+Patch4: patch-2.7.6-CVE-2018-6952.patch
+Patch100: patch-selinux.patch
+BuildRequires: libselinux-devel
+BuildRequires: libattr-devel
+BuildRequires: ed
+BuildRequires: automake autoconf
+
+Provides: bundled(gnulib) = %{gnulib_ver}
+
+%description
+The patch program applies diff files to originals. The diff command
+is used to compare an original to a changed file. Diff lists the
+changes made to the file. A person who has the original file can then
+use the patch command with the diff file to add the changes to their
+original file (patching the file).
+
+Patch should be installed because it is a common way of upgrading
+applications.
+
+%prep
+%setup -q
+
+# CVE-2018-6951, NULL pointer dereference causes a crash
+%patch1 -p1 -b .CVE-2018-6951
+
+# CVE-2018-1000156, Malicious patch files cause ed to execute arbitrary commands
+%patch2 -p1 -b .CVE-2018-1000156
+
+# Fix to build with gcc8
+%patch3 -p1 -b .gcc8
+
+# CVE-2018-6952, Double free of memory
+%patch4 -p1 -b .CVE-2018-6952
+
+# SELinux support.
+%patch100 -p1 -b .selinux
+
+%build
+CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE"
+%ifarch sparcv9
+CFLAGS=`echo $CFLAGS|sed -e 's|-fstack-protector||g'`
+%endif
+%configure --disable-silent-rules
+make %{?_smp_mflags}
+
+%check
+make check
+
+%install
+rm -rf $RPM_BUILD_ROOT
+%makeinstall
+
+%files
+%defattr(-,root,root,-)
+%license COPYING
+%doc NEWS README
+%{_bindir}/*
+%{_mandir}/*/*
+
+%changelog
+* Tue Nov 27 2018 Than Ngo <than@redhat.com> - 2.7.6-8
+- Added virtual provides for bundled gnulib library
+
+* Wed Sep 12 2018 Than Ngo <than@redhat.com> - 2.7.6-7
+- Resolves: #1554752, CVE-2018-6952 Double free of memory
+
+* Mon Jun 18 2018 Than Ngo <than@redhat.com> - 2.7.6-6
+- avoid warnings from GCC8
+
+* Mon Apr 09 2018 Than Ngo <than@redhat.com> - 2.7.6-5
+- fixed CVE-2018-1000156
+
+* Tue Mar 13 2018 Than Ngo <than@redhat.com> - 2.7.6-4
+- apply the patch for CVE-2018-6951
+
+* Mon Feb 12 2018 Tim Waugh <twaugh@redhat.com> - 2.7.6-3
+- 2.7.6 (CVE-2016-10713, CVE-2018-6951, CVE-2018-6952).
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.5-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Feb 01 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.7.5-4
+- Add missing %%license macro
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Mar 9 2015 Tim Waugh <twaugh@redhat.com> - 2.7.5-1
+- Fixed memory leak in selinux patch.
+- 2.7.5, including an even better fix for CVE-2015-1196 that still
+ allows relative symlinks to be created/used.
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 2.7.4-2
+- Rebuilt for Fedora 23 Change
+ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Sun Feb 1 2015 Tim Waugh <twaugh@redhat.com> - 2.7.4-1
+- 2.7.4, including a better fix for CVE-2015-1196 that still allows
+ symlinks referencing ".." to be created.
+
+* Fri Jan 23 2015 Tim Waugh <twaugh@redhat.com> - 2.7.3-1
+- 2.7.3 (bug #1182157, CVE-2015-1196, bug #1184491, CVE-2014-9637).
+
+* Tue Jan 20 2015 Tim Waugh <twaugh@redhat.com> - 2.7.1-12
+- Apply upstream patch to fix line numbering integer overflow.
+
+* Tue Jan 20 2015 Tim Waugh <twaugh@redhat.com> - 2.7.1-11
+- Apply upstream patch to fix directory traversal via symlinks
+ (bug #1182157, CVE-2015-1196).
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.1-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jun 06 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jun 12 2013 Tim Waugh <twaugh@redhat.com> 2.7.1-6
+- Don't segfault when given bad arguments (bug #972330).
+
+* Thu Apr 11 2013 Tim Waugh <twaugh@redhat.com> 2.7.1-5
+- Don't document unsupported -m option; document -x option (bug #948972).
+
+* Mon Mar 25 2013 Ville Skyttä <ville.skytta@iki.fi> - 2.7.1-4
+- Build with xattr support.
+- Make build output more verbose.
+- Fix bogus date in %%changelog.
+
+* Mon Mar 11 2013 Tim Waugh <twaugh@redhat.com> 2.7.1-3
+- Upstream patch to fix removal of empty directories (bug #919489).
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Oct 18 2012 Tim Waugh <twaugh@redhat.com> 2.7.1-1
+- Fixed license (since 2.6 it has been GPLv3+).
+- 2.7.1.
+
+* Thu Oct 18 2012 Tim Waugh <twaugh@redhat.com> 2.7-1
+- 2.7. No longer need sigsegv, get-arg, CVE-2010-4651,
+ backup-if-mismatch or coverity-leak patches.
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.1-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.1-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Nov 25 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-11
+- Fixed NULL dereference in selinux patch.
+
+* Mon May 16 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-10
+- Applied Jiri Popelka's fixes from Coverity scan (bug #704554):
+ - Avoid unchecked return from getfilecon() in patch-selinux.patch.
+ - Fix memory leak.
+
+* Wed Feb 16 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-9
+- Let --posix cause --no-backup-if-mismatch (bug #678016).
+
+* Thu Feb 10 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-8
+- Incorporate upstream fix for CVE-2010-4651 patch so that a target
+ name given on the command line is not validated (bug #667529).
+
+* Tue Feb 8 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-7
+- Applied upstream patch to fix CVE-2010-4651 so that malicious
+ patches cannot create files above the current directory
+ (bug #667529).
+
+* Tue Jan 4 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-6
+- Use smp_mflags correctly (bug #665770).
+
+* Mon Aug 16 2010 Tim Waugh <twaugh@redhat.com> 2.6.1-5
+- Another fix for the selinux patch (bug #618215).
+
+* Fri Aug 6 2010 Tim Waugh <twaugh@redhat.com> 2.6.1-4
+- Fixed interpretation of return value from getfilecon().
+- Fixed argument type for --get (bug #553624).
+
+* Fri Aug 6 2010 Dennis Gilmore <dennis@ausil.us>
+- using -fstack-projector causes weirdness on 32 bit sparc so disabling for now
+
+* Tue Jul 27 2010 Tim Waugh <twaugh@redhat.com> 2.6.1-3
+- Fixed argument type for --get (bug #553624).
+
+* Wed Mar 3 2010 Tim Waugh <twaugh@redhat.com> 2.6.1-2
+- Added comments for all patches.
+- Ship COPYING file.
+- Removed sparc ifdefs in spec file.
+
+* Mon Jan 4 2010 Tim Waugh <twaugh@redhat.com> 2.6.1-1
+- 2.6.1 (bug #551569). No longer need best-name patch.
+
+* Thu Dec 24 2009 Tim Waugh <twaugh@redhat.com> 2.6-2
+- Applied upstream patch to prevent incorrect filename being chosen
+ when adding a new file (bug #549122).
+
+* Mon Nov 16 2009 Tim Waugh <twaugh@redhat.com> 2.6-1
+- 2.6. No longer need stderr, suffix, stripcr, parse, allow-spaces,
+ ifdef, program_name, or posix-backup patches.
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.4-40
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Apr 29 2009 Tim Waugh <twaugh@redhat.com> 2.5.4-39
+- Fixed operation when SELinux is disabled (bug #498102). Patch from
+ Jan Kratochvil.
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5.4-38
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Tue Feb 17 2009 Tim Waugh <twaugh@redhat.com> 2.5.4-37
+- Don't set SELinux file context if it is already correct.
+
+* Mon Nov 24 2008 Tim Waugh <twaugh@redhat.com> 2.5.4-36
+- Better summary.
+
+* Mon Jun 30 2008 Tim Waugh <twaugh@redhat.com> 2.5.4-35
+- Don't fail if setfilecon() returns EPERM (bug #453365), although the
+ setfilecon man page suggests that ENOTSUP will be returned in this
+ case.
+
+* Mon Jun 16 2008 Tim Waugh <twaugh@redhat.com> 2.5.4-34
+- Only write simple backups for each file once during a run
+ (bug #234822).
+
+* Thu Jun 12 2008 Tim Waugh <twaugh@redhat.com> 2.5.4-33
+- Fix selinux patch and apply it. Build requires libselinux-devel.
+
+* Fri Feb 8 2008 Tim Waugh <twaugh@redhat.com> 2.5.4-32
+- Applied patch from 2.5.9 to allow spaces in filenames (bug #431887).
+
+* Mon Dec 3 2007 Tim Waugh <twaugh@redhat.com> 2.5.4-31
+- Convert spec file to UTF-8 (bug #226233).
+- Use _bindir macro in %%files (bug #226233).
+- Parallel make (bug #226233).
+- Better defattr declaration (bug #226233).
+
+* Thu Oct 4 2007 Tim Waugh <twaugh@redhat.com>
+- Beginnings of an SELinux patch (bug #165799); not applied yet.
+
+* Wed Aug 29 2007 Tim Waugh <twaugh@redhat.com> 2.5.4-30
+- Added dist tag.
+- More specific license tag.
+- Fixed summary.
+- Better buildroot tag.
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 2.5.4-29.2.2
+- rebuild
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 2.5.4-29.2.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 2.5.4-29.2
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Thu Sep 8 2005 Tim Waugh <twaugh@redhat.com> 2.5.4-29
+- Remove SELinux patch for now (bug #167822).
+
+* Wed Sep 7 2005 Tim Waugh <twaugh@redhat.com> 2.5.4-27
+- Applied patch from Ulrich Drepper to fix string overread (bug #167675).
+
+* Tue Sep 6 2005 Tim Waugh <twaugh@redhat.com> 2.5.4-26
+- Preserve SELinux file contexts (bug #165799).
+
+* Thu Aug 11 2005 Tim Waugh <twaugh@redhat.com> 2.5.4-25
+- Fixed CRLF detection (bug #154283).
+
+* Wed May 4 2005 Tim Waugh <twaugh@redhat.com> 2.5.4-24
+- Reverted last change (bug #154283, bug #156762).
+
+* Fri Apr 29 2005 Tim Waugh <twaugh@redhat.com> 2.5.4-23
+- Applied patch from Toshio Kuratomi to avoid problems with DOS-format
+ newlines (bug #154283).
+
+* Wed Mar 2 2005 Tim Waugh <twaugh@redhat.com> 2.5.4-22
+- Rebuild for new GCC.
+
+* Wed Feb 9 2005 Tim Waugh <twaugh@redhat.com> 2.5.4-21
+- Rebuilt.
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sat Oct 25 2003 Tim Waugh <twaugh@redhat.com> 2.5.4-18
+- Rebuilt.
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Wed Nov 20 2002 Tim Powers <timp@redhat.com>
+- rebuilt in current collinst
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 23 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Tue Apr 9 2002 Tim Waugh <twaugh@redhat.com> 2.5.4-12
+- Fix error reporting when given bad options (bug #62981).
+
+* Tue Mar 5 2002 Tim Waugh <twaugh@redhat.com> 2.5.4-11
+- s/Copyright:/License:/.
+- Fix -D behaviour (bug #60688).
+
+* Tue May 29 2001 Tim Waugh <twaugh@redhat.com> 2.5.4-10
+- Merge Mandrake patch:
+ - fix possible segfault
+
+* Fri Dec 1 2000 Tim Waugh <twaugh@redhat.com>
+- Rebuild because of fileutils bug.
+
+* Thu Nov 2 2000 Tim Waugh <twaugh@redhat.com>
+- use .orig as default suffix, as per man page and previous behaviour
+ (bug #20202).
+- use better patch for this, from maintainer.
+
+* Wed Oct 4 2000 Tim Waugh <twaugh@redhat.com>
+- actually use the RPM_OPT_FLAGS
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Tue Jun 13 2000 Trond Eivind Glomsrød <teg@redhat.com>
+- Use %%makeinstall, %%{_tmppath} and %%{_mandir}
+
+* Fri May 12 2000 Trond Eivind Glomsrød <teg@redhat.com>
+- added URL
+
+* Wed Feb 16 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- 2.5.4
+- Fix up LFS support on Alpha (Bug #5732)
+
+* Mon Feb 7 2000 Bill Nottingham <notting@redhat.com>
+- handle compressed manpages
+
+* Sun Jun 06 1999 Alan Cox <alan@redhat.com>
+- Fix the case where stderr isnt flushed for ask(). Now the 'no such file'
+ appears before the skip patch question, not at the very end, Doh!
+
+* Mon Mar 22 1999 Jeff Johnson <jbj@redhat.com>
+- (ultra?) sparc was getting large file system support.
+
+* Sun Mar 21 1999 Cristian Gafton <gafton@redhat.com>
+- auto rebuild in the new build environment (release 7)
+
+* Fri Dec 18 1998 Cristian Gafton <gafton@redhat.com>
+- build against glibc 2.1
+
+* Tue Sep 1 1998 Jeff Johnson <jbj@redhat.com>
+- bump release to preserve newer than back-ported 4.2.
+
+* Tue Jun 09 1998 Prospector System <bugs@redhat.com>
+- translations modified for de, fr
+
+* Tue Jun 9 1998 Jeff Johnson <jbj@redhat.com>
+- Fix for problem #682 segfault.
+
+* Fri Apr 24 1998 Prospector System <bugs@redhat.com>
+- translations modified for de, fr, tr
+
+* Tue Apr 07 1998 Cristian Gafton <gafton@redhat.com>
+- added buildroot
+
+* Tue Oct 21 1997 Cristian Gafton <gafton@redhat.com>
+- updated to 2.5
+
+* Mon Jun 02 1997 Erik Troan <ewt@redhat.com>
+- built against glibc