diff -Nru patch-2.6.1/debian/changelog patch-2.6.1/debian/changelog
--- patch-2.6.1/debian/changelog	2015-06-12 01:33:34.000000000 +0000
+++ patch-2.6.1/debian/changelog	2018-04-16 12:34:25.000000000 +0000
@@ -1,3 +1,16 @@
+patch (2.6.1-3ubuntu0.2) precise-security; urgency=medium
+
+  * SECURITY UPDATE: Out-of-bounds access
+    - debian/patches/CVE-2016-10713.patch: fix in
+      src/pch.c.
+    - CVE-2016-10713
+  * SECURITY UPDATE: Input validation vulnerability
+    - debian/patches/CVE-2018-1000156.patch: fix in
+      src/pch.c adding tests in Makefile.in, tests/ed-style.
+    - CVE-2018-1000156
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 16 Apr 2018 09:34:21 -0300
+
 patch (2.6.1-3ubuntu0.1) precise-security; urgency=medium
 
   * SECURITY UPDATE: Directory traversal via crafted patch
diff -Nru patch-2.6.1/debian/patches/CVE-2016-10713.patch patch-2.6.1/debian/patches/CVE-2016-10713.patch
--- patch-2.6.1/debian/patches/CVE-2016-10713.patch	1970-01-01 00:00:00.000000000 +0000
+++ patch-2.6.1/debian/patches/CVE-2016-10713.patch	2018-04-09 13:54:42.000000000 +0000
@@ -0,0 +1,23 @@
+Backported of:
+
+From a0d7fe4589651c64bd16ddaaa634030bb0455866 Mon Sep 17 00:00:00 2001
+From: Hanno Boeck <hanno@gentoo.org>
+Date: Wed, 10 Aug 2016 00:06:41 +0200
+Subject: [PATCH] Fix out-of-bounds access to lines in a patch
+
+This bug can trigger with malformed patches.
+* src/pch.c (pch_write_line): Avoid out-of-bounds access to
+p_line[line][p_len[line] - 1] when p_len[line] is 0.
+diff --git a/src/pch.c b/src/pch.c
+index d77bcdd..9fe0df5 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2004,7 +2004,7 @@ pfetch (LINENUM line)
+ bool
+ pch_write_line (LINENUM line, FILE *file)
+ {
+-  bool after_newline = p_line[line][p_len[line] - 1] == '\n';
++  bool after_newline = (p_len[line] > 0) && (p_line[line][p_len[line] - 1] == '\n');
+   if (! fwrite (p_line[line], sizeof (*p_line[line]), p_len[line], file))
+     write_fatal ();
+   return after_newline;
diff -Nru patch-2.6.1/debian/patches/CVE-2018-1000156.patch patch-2.6.1/debian/patches/CVE-2018-1000156.patch
--- patch-2.6.1/debian/patches/CVE-2018-1000156.patch	1970-01-01 00:00:00.000000000 +0000
+++ patch-2.6.1/debian/patches/CVE-2018-1000156.patch	2018-04-16 12:27:47.000000000 +0000
@@ -0,0 +1,180 @@
+Author: Chris Lamb <lamby@debian.org>
+Description: Based on <http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d>
+
+Index: patch-2.6.1/Makefile.in
+===================================================================
+--- patch-2.6.1.orig/Makefile.in
++++ patch-2.6.1/Makefile.in
+@@ -196,6 +196,7 @@ TESTS = \
+ 	tests/corrupt-reject-files \
+ 	tests/create-delete \
+ 	tests/crlf-handling \
++	tests/CVE-2018-1000156 \
+ 	tests/filename-choice \
+ 	tests/global-reject-files \
+ 	tests/inname \
+Index: patch-2.6.1/src/pch.c
+===================================================================
+--- patch-2.6.1.orig/src/pch.c
++++ patch-2.6.1/src/pch.c
+@@ -27,6 +27,7 @@
+ #include <inp.h>
+ #include <quotearg.h>
+ #include <util.h>
++#include <sys/wait.h>
+ #undef XTERN
+ #define XTERN
+ #include <pch.h>
+@@ -2095,20 +2096,24 @@ do_ed_script (FILE *ofp)
+     static char const ed_program[] = ed_PROGRAM;
+ 
+     register file_offset beginning_of_this_line;
+-    register FILE *pipefp = 0;
+     register size_t chars_read;
++    FILE *tmpfp = 0;
++    char tmpname[] = "/tmp/fileXXXXXX";
++    int tmpfd = -1;
++    pid_t pid;
+ 
+     if (! dry_run && ! skip_rest_of_patch) {
+-	int exclusive = TMPOUTNAME_needs_removal ? 0 : O_EXCL;
+-	assert (! inerrno);
+-	TMPOUTNAME_needs_removal = 1;
+-	copy_file (inname, TMPOUTNAME, 0, exclusive, instat.st_mode, true);
+-	sprintf (buf, "%s %s%s", ed_program, verbosity == VERBOSE ? "" : "- ",
+-		 TMPOUTNAME);
+-	fflush (stdout);
+-	pipefp = popen(buf, binary_transput ? "wb" : "w");
+-	if (!pipefp)
+-	  pfatal ("Can't open pipe to %s", quotearg (buf));
++	/* Write ed script to a temporary file.  This causes ed to abort on
++	   invalid commands such as when line numbers or ranges exceed the
++	   number of available lines.  When ed reads from a pipe, it rejects
++	   invalid commands and treats the next line as a new command, which
++	   can lead to arbitrary command execution.  */
++	tmpfd = mkstemp(tmpname);
++	if (tmpfd == -1)
++	  pfatal ("Can't create temporary file %s", quotearg (tmpname));
++	tmpfp = fdopen (tmpfd, "w+b");
++	if (! tmpfp)
++	  pfatal ("Can't open stream for file %s", quotearg (tmpname));
+     }
+     for (;;) {
+ 	char ed_command_letter;
+@@ -2120,14 +2125,14 @@ do_ed_script (FILE *ofp)
+ 	}
+ 	ed_command_letter = get_ed_command_letter (buf);
+ 	if (ed_command_letter) {
+-	    if (pipefp)
+-		if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++	    if (tmpfp)
++		if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ 		    write_fatal ();
+ 	    if (ed_command_letter != 'd' && ed_command_letter != 's') {
+ 	        p_pass_comments_through = true;
+ 		while ((chars_read = get_line ()) != 0) {
+-		    if (pipefp)
+-			if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++		    if (tmpfp)
++			if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ 			    write_fatal ();
+ 		    if (chars_read == 2  &&  strEQ (buf, ".\n"))
+ 			break;
+@@ -2140,13 +2145,45 @@ do_ed_script (FILE *ofp)
+ 	    break;
+ 	}
+     }
+-    if (!pipefp)
++    if (!tmpfp)
+       return;
+-    if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0
+-	|| fflush (pipefp) != 0)
++    if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
++	|| fflush (tmpfp) != 0)
+       write_fatal ();
+-    if (pclose (pipefp) != 0)
+-      fatal ("%s FAILED", ed_program);
++
++    if (lseek (tmpfd, 0, SEEK_SET) == -1)
++      pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
++
++    if (! dry_run && ! skip_rest_of_patch) {
++	int exclusive = TMPOUTNAME_needs_removal ? 0 : O_EXCL;
++	assert (! inerrno);
++	TMPOUTNAME_needs_removal = 1;
++	copy_file (inname, TMPOUTNAME, 0, exclusive, instat.st_mode, true);
++	sprintf (buf, "%s %s%s", ed_program, verbosity == VERBOSE ? "" : "- ",
++		 TMPOUTNAME);
++	fflush (stdout);
++
++	pid = fork();
++	if (pid == -1)
++	  pfatal ("Can't fork");
++	else if (pid == 0)
++	  {
++	    dup2 (tmpfd, 0);
++	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    _exit (2);
++	  }
++	else
++	  {
++	    int wstatus;
++	    if (waitpid (pid, &wstatus, 0) == -1
++	        || ! WIFEXITED (wstatus)
++		|| WEXITSTATUS (wstatus) != 0)
++	      fatal ("%s FAILED", ed_program);
++	  }
++    }
++
++    fclose (tmpfp);
++    unlink (tmpname);
+ 
+     if (ofp)
+       {
+Index: patch-2.6.1/tests/CVE-2018-1000156
+===================================================================
+--- /dev/null
++++ patch-2.6.1/tests/CVE-2018-1000156
+@@ -0,0 +1,42 @@
++# Copyright (C) 2018 Chris Lamb <lamby@debian.org>
++#
++# Copying and distribution of this file, with or without modification,
++# in any medium, are permitted without royalty provided the copyright
++# notice and this notice are preserved.
++
++# Check for CVE-2018-1000156 <https://rachelbythebay.com/w/2018/04/05/bangpatch/>
++
++. $srcdir/test-lib.sh
++
++require_cat
++use_local_patch
++use_tmpdir
++
++# ==============================================================
++
++cat > evil.patch <<EOF
++--- /dev/null   2018-13-37 13:37:37.000000000 +0100
+++++ b/beep.c    2018-13-37 13:38:38.000000000 +0100
++1337a
++1,112d
++!touch 0wned; ls 0wned
++.
++EOF
++
++touch beep.c
++
++# ==============================================================
++
++if ! have_ed ; then
++    echo "The ed utility is not available; skipping ed related tests"
++else
++    check 'patch < evil.patch || echo "Status: $?"' <<EOF
++?
++$PATCH: **** /bin/ed FAILED
++Status: 2
++EOF
++
++    check 'test -e 0wned || echo "Status: $?"' << EOF
++Status: 1
++EOF
++fi
diff -Nru patch-2.6.1/debian/patches/series patch-2.6.1/debian/patches/series
--- patch-2.6.1/debian/patches/series	2015-01-29 23:01:59.000000000 +0000
+++ patch-2.6.1/debian/patches/series	2018-04-16 12:29:02.000000000 +0000
@@ -3,3 +3,5 @@
 disable-update-version
 CVE-2010-4651.patch
 CVE-2014-9637.patch
+CVE-2016-10713.patch
+CVE-2018-1000156.patch