diff -Nru patch-2.7.5/debian/changelog patch-2.7.5/debian/changelog
--- patch-2.7.5/debian/changelog	2018-04-10 13:47:59.000000000 +0000
+++ patch-2.7.5/debian/changelog	2019-07-23 12:18:08.000000000 +0000
@@ -1,3 +1,16 @@
+patch (2.7.5-1ubuntu0.16.04.2) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Directory traversal
+    - debian/patches/CVE-2019-13636.patch: Don't follow symlinks unless
+      --follow-symlinks is given in src/inp.c, src/util.c.
+    - CVE-2019-13636
+  * SECURITY UPDATE: Shell command injection
+    - debian/patches/CVE-2019-13638.patch: Invoke ed directly instead of
+      using the shell in src/pch.c.
+    - CVE-2019-13638
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 23 Jul 2019 09:17:32 -0300
+
 patch (2.7.5-1ubuntu0.16.04.1) xenial-security; urgency=medium
 
   * SECURITY UPDATE: Out-of-bounds access
diff -Nru patch-2.7.5/debian/patches/CVE-2019-13636.patch patch-2.7.5/debian/patches/CVE-2019-13636.patch
--- patch-2.7.5/debian/patches/CVE-2019-13636.patch	1970-01-01 00:00:00.000000000 +0000
+++ patch-2.7.5/debian/patches/CVE-2019-13636.patch	2019-07-23 12:16:47.000000000 +0000
@@ -0,0 +1,105 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+---
+ src/inp.c  | 12 ++++++++++--
+ src/util.c | 14 +++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+Index: patch-2.7.5/src/inp.c
+===================================================================
+--- patch-2.7.5.orig/src/inp.c
++++ patch-2.7.5/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+     {
+       if (S_ISREG (instat.st_mode))
+         {
+-	  int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
++	  int flags = O_RDONLY | binary_transput;
+ 	  size_t buffered = 0, n;
++	  int ifd;
++
++	  if (! follow_symlinks)
++	    flags |= O_NOFOLLOW;
++	  ifd = safe_open (filename, flags, 0);
+ 	  if (ifd < 0)
+ 	    pfatal ("can't open file %s", quotearg (filename));
+ 
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
++  int flags = O_RDONLY | binary_transput;
+   int ifd;
+   FILE *ifp;
+   int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+ 
+   if (instat.st_size == 0)
+     filename = NULL_DEVICE;
+-  if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
++  if (! follow_symlinks)
++    flags |= O_NOFOLLOW;
++  if ((ifd = safe_open (filename, flags, 0)) < 0
+       || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+     pfatal ("Can't open file %s", quotearg (filename));
+   if (TMPINNAME_needs_removal)
+Index: patch-2.7.5/src/util.c
+===================================================================
+--- patch-2.7.5.orig/src/util.c
++++ patch-2.7.5/src/util.c
+@@ -393,7 +393,7 @@ create_backup (char const *to, const str
+ 
+ 	  try_makedirs_errno = ENOENT;
+ 	  safe_unlink (bakname);
+-	  while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
++	  while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
+ 	    {
+ 	      if (errno != try_makedirs_errno)
+ 		pfatal ("Can't create file %s", quotearg (bakname));
+@@ -584,10 +584,13 @@ create_file (char const *file, int open_
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
++  int from_flags = O_RDONLY | O_BINARY;
+   int fromfd;
+   ssize_t i;
+ 
+-  if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
++  if (! follow_symlinks)
++    from_flags |= O_NOFOLLOW;
++  if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (from));
+   while ((i = read (fromfd, buf, bufsize)) != 0)
+     {
+@@ -628,6 +631,8 @@ copy_file (char const *from, char const
+   else
+     {
+       assert (S_ISREG (mode));
++      if (! follow_symlinks)
++	to_flags |= O_NOFOLLOW;
+       tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ 			  to_dir_known_to_exist);
+       copy_to_fd (from, tofd);
+@@ -643,9 +648,12 @@ copy_file (char const *from, char const
+ void
+ append_to_file (char const *from, char const *to)
+ {
++  int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+   int tofd;
+ 
+-  if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
++  if (! follow_symlinks)
++    to_flags |= O_NOFOLLOW;
++  if ((tofd = safe_open (to, to_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (to));
+   copy_to_fd (from, tofd);
+   if (close (tofd) != 0)
diff -Nru patch-2.7.5/debian/patches/CVE-2019-13638.patch patch-2.7.5/debian/patches/CVE-2019-13638.patch
--- patch-2.7.5/debian/patches/CVE-2019-13638.patch	1970-01-01 00:00:00.000000000 +0000
+++ patch-2.7.5/debian/patches/CVE-2019-13638.patch	2019-07-23 12:17:22.000000000 +0000
@@ -0,0 +1,38 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ 	    *outname_needs_removal = true;
+ 	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ 	  }
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+ 	fflush (stdout);
+ 
+ 	pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ 	else if (pid == 0)
+ 	  {
+ 	    dup2 (tmpfd, 0);
+-	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    assert (outname[0] != '!' && outname[0] != '-');
++	    execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
+ 	    _exit (2);
+ 	  }
+ 	else
+-- 
+cgit v1.0-41-gc330
+
diff -Nru patch-2.7.5/debian/patches/series patch-2.7.5/debian/patches/series
--- patch-2.7.5/debian/patches/series	2018-04-09 20:10:00.000000000 +0000
+++ patch-2.7.5/debian/patches/series	2019-07-23 12:17:22.000000000 +0000
@@ -6,3 +6,5 @@
 CVE-2018-6951.patch
 CVE-2018-1000156.patch
 0001-Fix-ed-style-test-failure.patch
+CVE-2019-13636.patch
+CVE-2019-13638.patch