CVE-2019-13638: GNU patch shell injection via popen() in do_ed_script

GNU patch (<= 2.7.6) src/pch.c:do_ed_script() builds a shell command with sprintf("%s %s%s", editor_program, "- ", outname) at line 2399 then feeds it to popen() at line 2403. popen() spawns /bin/sh -c, so shell metacharacters in outname (;, backticks, $(), |) execute arbitrary commands when an attacker-controlled patch file is processed. CVE-2018-1000156's get_ed_command_letter() filter only constrained which ed commands were forwarded; it did NOT sanitize the filename interpolated into popen.