The GNU patch utility was prone vulnerable to multiple attacks through version 2.7.6. You can find my related PoC files here.
GNU patch vulnerabilities
I identified several vulnerabilities in the GNU patch utility, some of them making it possible to execute
arbitrary code if the victim opens a crafted patch file It also turned out, some of these vulnerabilities
had been silently addressed by the maintainer back then in 2018 when CVE-2018-1000156 was reported by
pushing some additional commits the sam