CVE-2019-13636: GNU patch v2.7.6 symlink-following in create_file() allows writing to arbitrary files

GNU patch v2.7.6 follows symlinks when creating output files, allowing an attacker who controls a symlink in the patching directory to cause patch to write the patched output to an arbitrary file. The root cause is in safe_open() (src/safe.c): it traverses directory components safely using openat() with O_DIRECTORY|O_NOFOLLOW, but opens the FINAL file component with a plain openat() call that lacks O_NOFOLLOW. Two primary vulnerable functions: (1) create_file() in src/util.c line 564 — called with O_CREAT|O_TRUNC flags, follows any symlink at the final path component, writing to the symlink target; (2) plan_b() in src/inp.c line 356 — opens input file O_RDONLY without O_NOFOLLOW, reads through symlinks. Attack vectors: use -o flag pointing to a symlink, or trigger EXDEV cross-device rename+race, or pre-place a symlink at the patch target path before applying the patch.