In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c. Upstream patch: https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a
Created patch tracking bugs for this issue: Affects: fedora-all [bug 1732842]
There is a flaw on patch package. When applying patch files patch application follows symlinks by default, even with no --follow-symlinks option being used. This can be used by an attacker to access other filesystem files other than the expected one via a crafted patch file.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1852 https://access.redhat.com/errata/RHSA-2020:1852
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13636