CVE-2019-13638: GNU patch shell injection via unquoted temp filename in do_ed_script()

GNU patch v2.7.6 has a shell injection vulnerability (CVE-2019-13638) in do_ed_script() in src/pch.c. When processing ed-format patches, the filename from the patch file header is used to construct a temp filename (via make_tempfile), and that temp filename is passed unquoted to popen(). If the patch header contains a filename with shell metacharacters (e.g., $(cmd), ;cmd, backticks), those characters survive into the temp filename and are executed by /bin/sh when popen() runs the ed editor command.