GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
packetstormsecurity.com/files/154124/GNU-patch-Command-Injection-Directory-Traversal.html
access.redhat.com/errata/RHSA-2019:2798
access.redhat.com/errata/RHSA-2019:2964
access.redhat.com/errata/RHSA-2019:3757
access.redhat.com/errata/RHSA-2019:3758
access.redhat.com/errata/RHSA-2019:4061
git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
github.com/irsl/gnu-patch-vulnerabilities
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVWWGISFWACROJJPVJJL4UBLVZ7LPOLT/
seclists.org/bugtraq/2019/Aug/29
seclists.org/bugtraq/2019/Jul/54
security-tracker.debian.org/tracker/CVE-2019-13638
security.gentoo.org/glsa/201908-22
security.netapp.com/advisory/ntap-20190828-0001/
www.debian.org/security/2019/dsa-4489