diff -Nru patch-2.6.1/debian/changelog patch-2.6.1/debian/changelog
--- patch-2.6.1/debian/changelog	2012-01-25 14:11:50.000000000 +0000
+++ patch-2.6.1/debian/changelog	2015-06-12 01:33:34.000000000 +0000
@@ -1,3 +1,16 @@
+patch (2.6.1-3ubuntu0.1) precise-security; urgency=medium
+
+  * SECURITY UPDATE: Directory traversal via crafted patch
+    - debian/patches/CVE-2010-4651.patch: Restrict file creation to the
+      current directory and its subdirectories
+    - CVE-2010-4651
+  * SECURITY UPDATE: Denial of service via crafted patch
+    - debian/patches/CVE-2014-9637.patch: Detect and exit upon memory
+      allocation failures
+    - CVE-2014-9637
+
+ -- Tyler Hicks <tyhicks@canonical.com>  Thu, 11 Jun 2015 20:33:29 -0500
+
 patch (2.6.1-3) unstable; urgency=low
 
   * 3.0 (quilt).
diff -Nru patch-2.6.1/debian/control patch-2.6.1/debian/control
--- patch-2.6.1/debian/control	2012-01-25 14:11:20.000000000 +0000
+++ patch-2.6.1/debian/control	2015-01-29 19:28:15.000000000 +0000
@@ -1,7 +1,8 @@
 Source: patch
 Section: vcs
 Priority: standard
-Maintainer: Christoph Berg <myon@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Christoph Berg <myon@debian.org>
 Build-Depends: debhelper (>= 7), ed
 Standards-Version: 3.9.2
 Vcs-Git: git://git.debian.org/collab-maint/patch.git
diff -Nru patch-2.6.1/debian/patches/CVE-2010-4651.patch patch-2.6.1/debian/patches/CVE-2010-4651.patch
--- patch-2.6.1/debian/patches/CVE-2010-4651.patch	1970-01-01 00:00:00.000000000 +0000
+++ patch-2.6.1/debian/patches/CVE-2010-4651.patch	2015-02-03 21:50:13.000000000 +0000
@@ -0,0 +1,190 @@
+Subject: Do not let a malicious patch create files above current directory
+Origin: backport, http://git.savannah.gnu.org/cgit/patch.git/commit/?id=685a78b6052f4df6eac6d625a545cfb54a6ac0e1
+Origin: backport, http://git.savannah.gnu.org/cgit/patch.git/commit/?id=f663762bf0aa5089fee41d62a4e7528f436164d4
+
+Index: patch-2.6.1/src/pch.c
+===================================================================
+--- patch-2.6.1.orig/src/pch.c	2015-01-29 17:02:02.054381426 -0600
++++ patch-2.6.1/src/pch.c	2015-01-29 17:02:02.054381426 -0600
+@@ -311,6 +311,31 @@ there_is_another_patch (bool need_header
+     return true;
+ }
+ 
++static bool
++name_is_valid (char const *name)
++{
++  const char *n = name;
++
++  if (IS_ABSOLUTE_FILE_NAME (name))
++    {
++      say ("Ignoring potentially dangerous file name %s\n", quotearg (name));
++      return false;
++    }
++  for (n = name; *n; )
++    {
++      if (*n == '.' && *++n == '.' && ( ! *++n || ISSLASH (*n)))
++        {
++	  say ("Ignoring potentially dangerous file name %s\n", quotearg (name));
++	  return false;
++	}
++      while (*n && ! ISSLASH (*n))
++	n++;
++      while (ISSLASH (*n))
++	n++;
++    }
++  return true;
++}
++
+ /* Determine what kind of diff is in the remaining part of the patch file. */
+ 
+ static enum diff
+@@ -628,7 +653,7 @@ intuit_diff_type (bool need_header)
+ 	      else
+ 		{
+ 		  stat_errno[i] = 0;
+-		  if (posixly_correct)
++		  if (posixly_correct && name_is_valid (p_name[i]))
+ 		    break;
+ 		}
+ 	      i0 = i;
+@@ -798,6 +823,7 @@ best_name (char *const *name, int const
+   /* Of those, take the first name.  */
+   for (i = OLD;  i <= INDEX;  i++)
+     if (name[i] && !ignore[i]
++	&& name_is_valid (name[i])
+ 	&& components[i] == components_min
+ 	&& basename_len[i] == basename_len_min
+ 	&& len[i] == len_min)
+Index: patch-2.6.1/tests/bad-filenames
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ patch-2.6.1/tests/bad-filenames	2015-01-29 17:02:02.054381426 -0600
+@@ -0,0 +1,116 @@
++# Copyright (C) 2011 Free Software Foundation, Inc.
++#
++# Copying and distribution of this file, with or without modification,
++# in any medium, are permitted without royalty provided the copyright
++# notice and this notice are preserved.
++
++. $srcdir/test-lib.sh
++
++use_local_patch
++use_tmpdir
++
++# ================================================================
++
++emit_patch()
++{
++cat <<EOF
++--- /dev/null
+++++ $1
++@@ -0,0 +1 @@
+++x
++EOF
++}
++
++# Ensure that patch rejects an output file name that is absolute
++# or that contains a ".." component.
++
++check 'emit_patch ../z | patch -f -p1 --dry-run || echo status: $?' <<EOF
++patching file z
++EOF
++
++check 'emit_patch /absolute/path | patch -f -p0 --dry-run || echo status: $?' <<EOF
++Ignoring potentially dangerous file name /absolute/path
++can't find file to patch at input line 3
++Perhaps you used the wrong -p or --strip option?
++The text leading up to this was:
++--------------------------
++|--- /dev/null
++|+++ /absolute/path
++--------------------------
++No file to patch.  Skipping patch.
++1 out of 1 hunk ignored
++status: 1
++EOF
++
++check 'emit_patch a/../z | patch -f -p0 --dry-run || echo status: $?' <<EOF
++Ignoring potentially dangerous file name a/../z
++can't find file to patch at input line 3
++Perhaps you used the wrong -p or --strip option?
++The text leading up to this was:
++--------------------------
++|--- /dev/null
++|+++ a/../z
++--------------------------
++No file to patch.  Skipping patch.
++1 out of 1 hunk ignored
++status: 1
++EOF
++
++check 'emit_patch a/../z | patch -f -p1 --dry-run || echo status: $?' <<EOF
++Ignoring potentially dangerous file name ../z
++can't find file to patch at input line 3
++Perhaps you used the wrong -p or --strip option?
++The text leading up to this was:
++--------------------------
++|--- /dev/null
++|+++ a/../z
++--------------------------
++No file to patch.  Skipping patch.
++1 out of 1 hunk ignored
++status: 1
++EOF
++
++check 'emit_patch ../z | patch -f -p0 --dry-run || echo status: $?' <<EOF
++Ignoring potentially dangerous file name ../z
++can't find file to patch at input line 3
++Perhaps you used the wrong -p or --strip option?
++The text leading up to this was:
++--------------------------
++|--- /dev/null
++|+++ ../z
++--------------------------
++No file to patch.  Skipping patch.
++1 out of 1 hunk ignored
++status: 1
++EOF
++
++cat > d.diff <<EOF
++--- f
+++++ ../g
++@@ -1 +1 @@
++-1
+++1
++EOF
++
++check 'patch -f -p0 --dry-run < d.diff || echo status: $?' <<EOF
++can't find file to patch at input line 3
++Perhaps you used the wrong -p or --strip option?
++The text leading up to this was:
++--------------------------
++|--- f
++|+++ ../g
++--------------------------
++No file to patch.  Skipping patch.
++1 out of 1 hunk ignored
++status: 1
++EOF
++
++echo 1 > f
++check 'patch -f -p0 --dry-run < d.diff || echo status: $?' <<EOF
++patching file f
++EOF
++
++echo 1 > g
++check 'patch -f -p1 --dry-run < d.diff || echo status: $?' <<EOF
++patching file g
++EOF
+Index: patch-2.6.1/Makefile.in
+===================================================================
+--- patch-2.6.1.orig/Makefile.in	2015-01-29 17:02:02.054381426 -0600
++++ patch-2.6.1/Makefile.in	2015-01-29 17:02:02.054381426 -0600
+@@ -192,6 +192,7 @@ installcheck::
+ TESTS = \
+ 	tests/asymmetric-hunks \
+ 	tests/backup-prefix-suffix \
++	tests/bad-filenames \
+ 	tests/corrupt-reject-files \
+ 	tests/create-delete \
+ 	tests/crlf-handling \
diff -Nru patch-2.6.1/debian/patches/CVE-2014-9637.patch patch-2.6.1/debian/patches/CVE-2014-9637.patch
--- patch-2.6.1/debian/patches/CVE-2014-9637.patch	1970-01-01 00:00:00.000000000 +0000
+++ patch-2.6.1/debian/patches/CVE-2014-9637.patch	2015-01-29 23:02:10.000000000 +0000
@@ -0,0 +1,75 @@
+From 0c08d7a902c6fdd49b704623a12d8d672ef18944 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Tue, 20 Jan 2015 12:20:00 +0100
+Subject: [PATCH] Fail when out of memory in set_hunkmax()
+
+src/pch.c (another_hunk): Call set_hunkmax() from here to make sure it is
+called even when falling back from plan A to plan B.
+(open_patch_file): No need to call set_hunkmax() anymore.
+src/pch.c (set_hunkmax): Fail when out of memory. Make static.
+src/pch.h: Remove set_hunkmax() prototype.
+
+Origin: backport, http://git.savannah.gnu.org/cgit/patch.git/commit/?id=0c08d7a902c6fdd49b704623a12d8d672ef18944
+Bug: https://savannah.gnu.org/bugs/?44051
+
+---
+ src/pch.c |   12 +++++++-----
+ src/pch.h |    1 -
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+Index: patch-2.6.1/src/pch.c
+===================================================================
+--- patch-2.6.1.orig/src/pch.c	2015-01-29 17:02:08.870352898 -0600
++++ patch-2.6.1/src/pch.c	2015-01-29 17:02:08.866352915 -0600
+@@ -30,6 +30,7 @@
+ #undef XTERN
+ #define XTERN
+ #include <pch.h>
++#include <xalloc.h>
+ 
+ #define INITHUNKMAX 125			/* initial dynamic allocation size */
+ 
+@@ -158,20 +159,19 @@ open_patch_file (char const *filename)
+     if (p_filesize != (file_offset) p_filesize)
+       fatal ("patch file is too long");
+     next_intuit_at (file_pos, (LINENUM) 1);
+-    set_hunkmax();
+ }
+ 
+ /* Make sure our dynamically realloced tables are malloced to begin with. */
+ 
+-void
++static void
+ set_hunkmax (void)
+ {
+     if (!p_line)
+-	p_line = (char **) malloc (hunkmax * sizeof *p_line);
++	p_line = (char **) xmalloc (hunkmax * sizeof *p_line);
+     if (!p_len)
+-	p_len = (size_t *) malloc (hunkmax * sizeof *p_len);
++	p_len = (size_t *) xmalloc (hunkmax * sizeof *p_len);
+     if (!p_Char)
+-	p_Char = malloc (hunkmax * sizeof *p_Char);
++	p_Char = xmalloc (hunkmax * sizeof *p_Char);
+ }
+ 
+ /* Enlarge the arrays containing the current hunk of patch. */
+@@ -927,6 +927,8 @@ another_hunk (enum diff difftype, bool r
+     char numbuf2[LINENUM_LENGTH_BOUND + 1];
+     char numbuf3[LINENUM_LENGTH_BOUND + 1];
+ 
++    set_hunkmax();
++
+     while (p_end >= 0) {
+ 	if (p_end == p_efake)
+ 	    p_end = p_bfake;		/* don't free twice */
+Index: patch-2.6.1/src/pch.h
+===================================================================
+--- patch-2.6.1.orig/src/pch.h	2015-01-29 17:02:08.870352898 -0600
++++ patch-2.6.1/src/pch.h	2015-01-29 17:02:08.866352915 -0600
+@@ -45,5 +45,4 @@ time_t pch_timestamp (bool);
+ void do_ed_script (FILE *);
+ void open_patch_file (char const *);
+ void re_patch (void);
+-void set_hunkmax (void);
+ void pch_normalize (enum diff);
diff -Nru patch-2.6.1/debian/patches/series patch-2.6.1/debian/patches/series
--- patch-2.6.1/debian/patches/series	2012-01-25 14:16:32.000000000 +0000
+++ patch-2.6.1/debian/patches/series	2015-01-29 23:01:59.000000000 +0000
@@ -1,3 +1,5 @@
 558485-backupmode
 m-merge
 disable-update-version
+CVE-2010-4651.patch
+CVE-2014-9637.patch