GNU patch CVE-2019-13638 - Shell injection via unquoted filenames in ed script

GNU patch version 2.7.6 and earlier contains a shell injection vulnerability in the ED_DIFF handling code. When processing a patch file with ed format (unified diff format with 'e' marker), the do_ed_script() function constructs a shell command by directly concatenating filenames from the patch file without any escaping or quoting. An attacker can craft a malicious patch file with shell metacharacters in the target filename to execute arbitrary commands with the privileges of the patch process.