21 files changed, 194 insertions, 41 deletions

diff --git a/pkgs/tools/X11/caffeine-ng/default.nix b/pkgs/tools/X11/caffeine-ng/default.nix
index aff7b8adfc23..57f32ed82250 100644
--- a/pkgs/tools/X11/caffeine-ng/default.nix
+++ b/pkgs/tools/X11/caffeine-ng/default.nix
@@ -1,4 +1,4 @@
-{ gdk_pixbuf, glib, gobject-introspection, gtk3, lib, libnotify,
+{ gdk-pixbuf, glib, gobject-introspection, gtk3, lib, libnotify,
   pythonPackages, wrapGAppsHook
 }:
 
@@ -12,7 +12,7 @@ pythonPackages.buildPythonApplication rec {
   };
 
   nativeBuildInputs = [ wrapGAppsHook glib ];
-  buildInputs = [ gdk_pixbuf gobject-introspection libnotify gtk3 ];
+  buildInputs = [ gdk-pixbuf gobject-introspection libnotify gtk3 ];
   pythonPath = with pythonPackages; [
     dbus-python docopt ewmh pygobject3 pyxdg
     setproctitle setuptools setuptools_scm wheel
diff --git a/pkgs/tools/X11/xpra/default.nix b/pkgs/tools/X11/xpra/default.nix
index efafbb3692ed..863c02fb23dd 100644
--- a/pkgs/tools/X11/xpra/default.nix
+++ b/pkgs/tools/X11/xpra/default.nix
@@ -1,5 +1,5 @@
 { stdenv, lib, fetchurl, callPackage, substituteAll, python3, pkgconfig
-, xorg, gtk3, glib, pango, cairo, gdk_pixbuf, atk
+, xorg, gtk3, glib, pango, cairo, gdk-pixbuf, atk
 , wrapGAppsHook, xorgserver, getopt, xauth, utillinux, which
 , ffmpeg_4, x264, libvpx, libwebp, x265
 , libfakeXinerama
@@ -40,7 +40,7 @@ in buildPythonApplication rec {
     ] ++ [
     cython
 
-    pango cairo gdk_pixbuf atk.out gtk3 glib
+    pango cairo gdk-pixbuf atk.out gtk3 glib
 
     ffmpeg_4 libvpx x264 libwebp x265
 
diff --git a/pkgs/tools/audio/gvolicon/default.nix b/pkgs/tools/audio/gvolicon/default.nix
index 4a0c244f07f7..c66c6bc1f7e0 100644
--- a/pkgs/tools/audio/gvolicon/default.nix
+++ b/pkgs/tools/audio/gvolicon/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, makeWrapper, alsaLib, pkgconfig, fetchgit, gtk3, gnome3, gdk_pixbuf, librsvg, wrapGAppsHook }:
+{ stdenv, makeWrapper, alsaLib, pkgconfig, fetchgit, gtk3, gnome3, gdk-pixbuf, librsvg, wrapGAppsHook }:
 
 stdenv.mkDerivation {
   name = "gvolicon-2014-04-28";
@@ -10,7 +10,7 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [
-    makeWrapper alsaLib gtk3 gdk_pixbuf gnome3.adwaita-icon-theme
+    makeWrapper alsaLib gtk3 gdk-pixbuf gnome3.adwaita-icon-theme
     librsvg wrapGAppsHook
   ];
 
diff --git a/pkgs/tools/compression/zstd/default.nix b/pkgs/tools/compression/zstd/default.nix
index ff2589031b6b..257396e04289 100644
--- a/pkgs/tools/compression/zstd/default.nix
+++ b/pkgs/tools/compression/zstd/default.nix
@@ -4,11 +4,11 @@
 , legacySupport ? false }:
 
 stdenv.mkDerivation rec {
-  name = "zstd-${version}";
-  version = "1.4.0";
+  pname = "zstd";
+  version = "1.4.1";
 
   src = fetchFromGitHub {
-    sha256 = "1gfxi3ymgavjfxh84rhfjan7l4pymwfrn051nwc7n0s3mxp09m6v";
+    sha256 = "1f2nvhsx1fsd6zbnwvc6bbrm9ghkcvamqqg79fxgk5284rc6nynv";
     rev = "v${version}";
     repo = "zstd";
     owner = "facebook";
@@ -40,6 +40,8 @@ stdenv.mkDerivation rec {
       --replace "zstdcat" "$out/bin/zstdcat"
   '';
 
+  enableParallelBuilding = true;
+
   meta = with stdenv.lib; {
     description = "Zstandard real-time compression algorithm";
     longDescription = ''
@@ -52,8 +54,7 @@ stdenv.mkDerivation rec {
       property shared by most LZ compression algorithms, such as zlib.
     '';
     homepage = https://facebook.github.io/zstd/;
-    # The licence of the CLI programme is GPLv2+, that of the library BSD-2.
-    license = with licenses; [ gpl2Plus bsd2 ];
+    license = with licenses; [ bsd3 ]; # Or, at your opinion, GPL-2.0-only.
 
     platforms = platforms.unix;
     maintainers = with maintainers; [ orivej ];
diff --git a/pkgs/tools/filesystems/e2fsprogs/default.nix b/pkgs/tools/filesystems/e2fsprogs/default.nix
index babb3d844fe9..d8ddde24ade3 100644
--- a/pkgs/tools/filesystems/e2fsprogs/default.nix
+++ b/pkgs/tools/filesystems/e2fsprogs/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "e2fsprogs";
-  version = "1.45.2";
+  version = "1.45.3";
 
   src = fetchurl {
     url = "mirror://sourceforge/${pname}/${pname}-${version}.tar.gz";
-    sha256 = "1bhqljgcngys1diaxh7rnxc85d1jsril8xd7bach9imdjwr1wlm8";
+    sha256 = "0gcqfnp9h7wgz1vq402kxd2w398vqaim26aq9i722v3lrgh5cm9s";
   };
 
   outputs = [ "bin" "dev" "out" "man" "info" ];
diff --git a/pkgs/tools/graphics/blur-effect/default.nix b/pkgs/tools/graphics/blur-effect/default.nix
index 5bb209984396..499004013196 100644
--- a/pkgs/tools/graphics/blur-effect/default.nix
+++ b/pkgs/tools/graphics/blur-effect/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, pkgconfig, cmake, gdk_pixbuf, libGL, mesa }:
+{ stdenv, fetchFromGitHub, pkgconfig, cmake, gdk-pixbuf, libGL, mesa }:
 
 stdenv.mkDerivation rec {
   pname = "blur-effect";
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
   ];
 
   buildInputs = [
-    gdk_pixbuf
+    gdk-pixbuf
     libGL
     mesa
   ];
diff --git a/pkgs/tools/inputmethods/ibus/default.nix b/pkgs/tools/inputmethods/ibus/default.nix
index d2090d776762..07fa8d2beb56 100644
--- a/pkgs/tools/inputmethods/ibus/default.nix
+++ b/pkgs/tools/inputmethods/ibus/default.nix
@@ -1,5 +1,5 @@
 { stdenv, substituteAll, fetchurl, fetchFromGitHub, autoreconfHook, gettext, makeWrapper, pkgconfig
-, vala, wrapGAppsHook, dbus, dconf ? null, glib, gdk_pixbuf, gobject-introspection, gtk2
+, vala, wrapGAppsHook, dbus, dconf ? null, glib, gdk-pixbuf, gobject-introspection, gtk2
 , gtk3, gtk-doc, isocodes, python3, json-glib, libnotify ? null, enablePython2Library ? false
 , enableUI ? true, withWayland ? false, libxkbcommon ? null, wayland ? null
 , buildPackages, runtimeShell }:
@@ -134,7 +134,7 @@ stdenv.mkDerivation rec {
   buildInputs = [
     dbus
     dconf
-    gdk_pixbuf
+    gdk-pixbuf
     gobject-introspection
     python3.pkgs.pygobject3 # for pygobject overrides
     gtk2
diff --git a/pkgs/tools/misc/birdfont/default.nix b/pkgs/tools/misc/birdfont/default.nix
index 2de6715db8fe..56e7650673e1 100644
--- a/pkgs/tools/misc/birdfont/default.nix
+++ b/pkgs/tools/misc/birdfont/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, pkgconfig, python3, xmlbird,
-cairo, gdk_pixbuf, libgee, glib, gtk3, webkitgtk, libnotify, sqlite, vala,
+cairo, gdk-pixbuf, libgee, glib, gtk3, webkitgtk, libnotify, sqlite, vala,
 gobject-introspection, gsettings-desktop-schemas, wrapGAppsHook }:
 
 stdenv.mkDerivation rec {
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   };
 
   nativeBuildInputs = [ python3 pkgconfig vala gobject-introspection wrapGAppsHook ];
-  buildInputs = [ xmlbird libgee cairo gdk_pixbuf glib gtk3 webkitgtk libnotify sqlite gsettings-desktop-schemas ];
+  buildInputs = [ xmlbird libgee cairo gdk-pixbuf glib gtk3 webkitgtk libnotify sqlite gsettings-desktop-schemas ];
 
   postPatch = "patchShebangs .";
 
diff --git a/pkgs/tools/misc/staruml/default.nix b/pkgs/tools/misc/staruml/default.nix
index dcbee0e343ec..794c06b8044e 100644
--- a/pkgs/tools/misc/staruml/default.nix
+++ b/pkgs/tools/misc/staruml/default.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, makeWrapper
 , dpkg, patchelf
-, gtk2, glib, gdk_pixbuf, alsaLib, nss, nspr, GConf, cups, libgcrypt, dbus, systemd
+, gtk2, glib, gdk-pixbuf, alsaLib, nss, nspr, GConf, cups, libgcrypt, dbus, systemd
 , libXdamage, expat }:
 
 let
   inherit (stdenv) lib;
   LD_LIBRARY_PATH = lib.makeLibraryPath
-    [ glib gtk2 gdk_pixbuf alsaLib nss nspr GConf cups libgcrypt dbus libXdamage expat ];
+    [ glib gtk2 gdk-pixbuf alsaLib nss nspr GConf cups libgcrypt dbus libXdamage expat ];
 in
 stdenv.mkDerivation rec {
   version = "2.8.1";
diff --git a/pkgs/tools/misc/sweep-visualizer/default.nix b/pkgs/tools/misc/sweep-visualizer/default.nix
index cbf849494b75..fd0a766f54e9 100644
--- a/pkgs/tools/misc/sweep-visualizer/default.nix
+++ b/pkgs/tools/misc/sweep-visualizer/default.nix
@@ -1,5 +1,5 @@
 { stdenv, lib, makeWrapper, fetchurl,
-  alsaLib, atk, cairo, cups, dbus, expat, fontconfig, freetype, gdk_pixbuf, glib,
+  alsaLib, atk, cairo, cups, dbus, expat, fontconfig, freetype, gdk-pixbuf, glib,
   gnome2, gtk2-x11, nspr, nss,
   libX11, libxcb, libXcomposite, libXcursor, libXdamage, libXext, libXfixes,
   libXi, libXrandr, libXrender, libXScrnSaver, libXtst,
@@ -13,7 +13,7 @@
       url = "https://s3.amazonaws.com/scanse/Visualizer/v${version}/sweepvisualizer_${version}_amd64.deb";
       sha256 = "1k6rdjw2340qrzafv6hjxvbvyh3s1wad6d3629nchdcrpyx9xy1c";
     };
-    
+
     nativeBuildInputs = [ makeWrapper ];
 
     sourceRoot = ".";
@@ -32,8 +32,8 @@
 
     preFixup = let
       libPath = lib.makeLibraryPath [
-        alsaLib atk cairo cups.lib dbus.lib expat fontconfig.lib freetype 
-        gdk_pixbuf glib gnome2.GConf gnome2.pango gtk2-x11 nspr nss stdenv.cc.cc.lib
+        alsaLib atk cairo cups.lib dbus.lib expat fontconfig.lib freetype
+        gdk-pixbuf glib gnome2.GConf gnome2.pango gtk2-x11 nspr nss stdenv.cc.cc.lib
         libX11 libxcb libXcomposite libXcursor libXdamage libXext libXfixes
         libXi libXrandr libXrender libXScrnSaver libXtst
       ];
diff --git a/pkgs/tools/misc/system-config-printer/default.nix b/pkgs/tools/misc/system-config-printer/default.nix
index 025833431176..6750bbe8ae69 100644
--- a/pkgs/tools/misc/system-config-printer/default.nix
+++ b/pkgs/tools/misc/system-config-printer/default.nix
@@ -1,6 +1,6 @@
 { stdenv, fetchurl, udev, intltool, pkgconfig, glib, xmlto, wrapGAppsHook
 , docbook_xml_dtd_412, docbook_xsl
-, libxml2, desktop-file-utils, libusb1, cups, gdk_pixbuf, pango, atk, libnotify
+, libxml2, desktop-file-utils, libusb1, cups, gdk-pixbuf, pango, atk, libnotify
 , gobject-introspection, libsecret
 , cups-filters
 , pythonPackages
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
   buildInputs = [
     glib udev libusb1 cups
     pythonPackages.python
-    libnotify gobject-introspection gdk_pixbuf pango atk
+    libnotify gobject-introspection gdk-pixbuf pango atk
     libsecret
   ];
 
diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index bd502ee34c66..652bcdba8748 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -24,14 +24,14 @@ assert brotliSupport -> brotli != null;
 assert gssSupport -> libkrb5 != null;
 
 stdenv.mkDerivation rec {
-  name = "curl-7.65.0";
+  name = "curl-7.65.3";
 
   src = fetchurl {
     urls = [
       "https://curl.haxx.se/download/${name}.tar.bz2"
       "https://github.com/curl/curl/releases/download/${lib.replaceStrings ["."] ["_"] name}/${name}.tar.bz2"
     ];
-    sha256 = "0p6z77iv6wlxq7skbnxn61rn8rangrp4g4spr09y920fcf7w0iza";
+    sha256 = "02g5zj4rq5sr15jzjqk70xk4k92i2pdmpq00xb4pnba8ps1mx18a";
   };
 
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
diff --git a/pkgs/tools/networking/driftnet/default.nix b/pkgs/tools/networking/driftnet/default.nix
index bf0a43ce5153..fd932617c936 100644
--- a/pkgs/tools/networking/driftnet/default.nix
+++ b/pkgs/tools/networking/driftnet/default.nix
@@ -1,5 +1,5 @@
 { stdenv, lib, fetchFromGitHub, libpcap, libjpeg , libungif, libpng
-, giflib, glib, gtk2, cairo, pango, gdk_pixbuf, atk
+, giflib, glib, gtk2, cairo, pango, gdk-pixbuf, atk
 , pkgconfig, autoreconfHook }:
 
 with lib;
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [
     libpcap libjpeg libungif libpng giflib
-    glib gtk2 glib cairo pango gdk_pixbuf atk autoreconfHook
+    glib gtk2 glib cairo pango gdk-pixbuf atk autoreconfHook
   ];
 
   src = fetchFromGitHub {
diff --git a/pkgs/tools/networking/openresolv/default.nix b/pkgs/tools/networking/openresolv/default.nix
index 209e1f64c72b..302e08617afc 100644
--- a/pkgs/tools/networking/openresolv/default.nix
+++ b/pkgs/tools/networking/openresolv/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "openresolv-${version}";
-  version = "3.9.0";
+  version = "3.9.1";
 
   src = fetchurl {
     url = "mirror://roy/openresolv/${name}.tar.xz";
-    sha256 = "1f2dccc52iykbpma26fbxzga2l6g4njm3bgaxz4rgdrb4cwlv82i";
+    sha256 = "1wlzi88837rf4ygswmzpbcmgkbbjhn5n322n9q6ir6x367hygf1q";
   };
 
   buildInputs = [ makeWrapper ];
diff --git a/pkgs/tools/security/encryptr/default.nix b/pkgs/tools/security/encryptr/default.nix
index 8d0c78764319..6f79be83be55 100644
--- a/pkgs/tools/security/encryptr/default.nix
+++ b/pkgs/tools/security/encryptr/default.nix
@@ -1,7 +1,7 @@
 { stdenv, fetchurl, glib, nss, nspr, gconf, fontconfig, freetype
 , pango , cairo, libX11 , libXi, libXcursor, libXext, libXfixes
 , libXrender, libXcomposite , alsaLib, libXdamage, libXtst, libXrandr
-, expat, libcap, systemd , dbus, gtk2 , gdk_pixbuf, libnotify
+, expat, libcap, systemd , dbus, gtk2 , gdk-pixbuf, libnotify
 }:
 
 let
@@ -27,7 +27,7 @@ in stdenv.mkDerivation rec {
   rpath = stdenv.lib.makeLibraryPath [
     glib nss nspr gconf fontconfig freetype pango cairo libX11 libXi
     libXcursor libXext libXfixes libXrender libXcomposite alsaLib
-    libXdamage libXtst libXrandr expat libcap dbus gtk2 gdk_pixbuf
+    libXdamage libXtst libXrandr expat libcap dbus gtk2 gdk-pixbuf
     libnotify stdenv.cc.cc
   ];
 
diff --git a/pkgs/tools/security/keybase/gui.nix b/pkgs/tools/security/keybase/gui.nix
index f84f0039347e..afe2d457a7fe 100644
--- a/pkgs/tools/security/keybase/gui.nix
+++ b/pkgs/tools/security/keybase/gui.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, alsaLib, atk, cairo, cups, udev
-, dbus, expat, fontconfig, freetype, gdk_pixbuf, glib, gtk3
+, dbus, expat, fontconfig, freetype, gdk-pixbuf, glib, gtk3
 , libnotify, nspr, nss, pango, systemd, xorg, autoPatchelfHook, wrapGAppsHook
 , runtimeShell, gsettings-desktop-schemas }:
 
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
     expat
     fontconfig
     freetype
-    gdk_pixbuf
+    gdk-pixbuf
     glib
     gsettings-desktop-schemas
     gtk3
diff --git a/pkgs/tools/system/collectd/default.nix b/pkgs/tools/system/collectd/default.nix
index 3fdc87808881..d71fa0c4e584 100644
--- a/pkgs/tools/system/collectd/default.nix
+++ b/pkgs/tools/system/collectd/default.nix
@@ -13,7 +13,7 @@
 , libmemcached, cyrus_sasl
 , libmicrohttpd
 , libmodbus
-, libnotify, gdk_pixbuf
+, libnotify, gdk-pixbuf
 , liboping
 , libpcap
 , libsigrok
@@ -59,7 +59,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkgconfig autoreconfHook ];
   buildInputs = [
     curl libdbi libgcrypt libmemcached
-    cyrus_sasl libnotify gdk_pixbuf liboping libpcap libvirt
+    cyrus_sasl libnotify gdk-pixbuf liboping libpcap libvirt
     libxml2 postgresql protobufc rrdtool
     varnish yajl jdk libtool python hiredis libmicrohttpd
     riemann_c_client mosquitto rdkafka mongoc
diff --git a/pkgs/tools/system/ddrescueview/default.nix b/pkgs/tools/system/ddrescueview/default.nix
index 517cefb6a2b3..466232e2bf77 100644
--- a/pkgs/tools/system/ddrescueview/default.nix
+++ b/pkgs/tools/system/ddrescueview/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, fpc, lazarus, atk, cairo, gdk_pixbuf, glib, gtk2, libX11, pango }:
+{ stdenv, lib, fetchurl, fpc, lazarus, atk, cairo, gdk-pixbuf, glib, gtk2, libX11, pango }:
 
 stdenv.mkDerivation rec {
   name = "ddrescueview-0.4alpha3";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ fpc lazarus ];
 
-  buildInputs = [ atk cairo gdk_pixbuf glib gtk2 libX11 pango ];
+  buildInputs = [ atk cairo gdk-pixbuf glib gtk2 libX11 pango ];
 
   sourceRoot = "source";
 
diff --git a/pkgs/tools/text/gnupatch/CVE-2019-13636.patch b/pkgs/tools/text/gnupatch/CVE-2019-13636.patch
new file mode 100644
index 000000000000..e62c3d41753c
--- /dev/null
+++ b/pkgs/tools/text/gnupatch/CVE-2019-13636.patch
@@ -0,0 +1,108 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+---
+ src/inp.c  | 12 ++++++++++--
+ src/util.c | 14 +++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/inp.c b/src/inp.c
+index 32d0919..22d7473 100644
+--- a/src/inp.c
++++ b/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+     {
+       if (S_ISREG (instat.st_mode))
+         {
+-	  int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
++	  int flags = O_RDONLY | binary_transput;
+ 	  size_t buffered = 0, n;
++	  int ifd;
++
++	  if (! follow_symlinks)
++	    flags |= O_NOFOLLOW;
++	  ifd = safe_open (filename, flags, 0);
+ 	  if (ifd < 0)
+ 	    pfatal ("can't open file %s", quotearg (filename));
+ 
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
++  int flags = O_RDONLY | binary_transput;
+   int ifd;
+   FILE *ifp;
+   int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+ 
+   if (instat.st_size == 0)
+     filename = NULL_DEVICE;
+-  if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
++  if (! follow_symlinks)
++    flags |= O_NOFOLLOW;
++  if ((ifd = safe_open (filename, flags, 0)) < 0
+       || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+     pfatal ("Can't open file %s", quotearg (filename));
+   if (TMPINNAME_needs_removal)
+diff --git a/src/util.c b/src/util.c
+index 1cc08ba..fb38307 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)
+ 
+ 	  try_makedirs_errno = ENOENT;
+ 	  safe_unlink (bakname);
+-	  while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
++	  while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
+ 	    {
+ 	      if (errno != try_makedirs_errno)
+ 		pfatal ("Can't create file %s", quotearg (bakname));
+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
++  int from_flags = O_RDONLY | O_BINARY;
+   int fromfd;
+   ssize_t i;
+ 
+-  if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
++  if (! follow_symlinks)
++    from_flags |= O_NOFOLLOW;
++  if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (from));
+   while ((i = read (fromfd, buf, bufsize)) != 0)
+     {
+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,
+   else
+     {
+       assert (S_ISREG (mode));
++      if (! follow_symlinks)
++	to_flags |= O_NOFOLLOW;
+       tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ 			  to_dir_known_to_exist);
+       copy_to_fd (from, tofd);
+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ void
+ append_to_file (char const *from, char const *to)
+ {
++  int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+   int tofd;
+ 
+-  if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
++  if (! follow_symlinks)
++    to_flags |= O_NOFOLLOW;
++  if ((tofd = safe_open (to, to_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (to));
+   copy_to_fd (from, tofd);
+   if (close (tofd) != 0)
+-- 
+cgit v1.0-41-gc330
+
diff --git a/pkgs/tools/text/gnupatch/CVE-2019-13638.patch b/pkgs/tools/text/gnupatch/CVE-2019-13638.patch
new file mode 100644
index 000000000000..38caff628aaf
--- /dev/null
+++ b/pkgs/tools/text/gnupatch/CVE-2019-13638.patch
@@ -0,0 +1,38 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ 	    *outname_needs_removal = true;
+ 	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ 	  }
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+ 	fflush (stdout);
+ 
+ 	pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ 	else if (pid == 0)
+ 	  {
+ 	    dup2 (tmpfd, 0);
+-	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    assert (outname[0] != '!' && outname[0] != '-');
++	    execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
+ 	    _exit (2);
+ 	  }
+ 	else
+-- 
+cgit v1.0-41-gc330
+
diff --git a/pkgs/tools/text/gnupatch/default.nix b/pkgs/tools/text/gnupatch/default.nix
index 1a5cda5799dc..5b61220d50a1 100644
--- a/pkgs/tools/text/gnupatch/default.nix
+++ b/pkgs/tools/text/gnupatch/default.nix
@@ -23,6 +23,12 @@ stdenv.mkDerivation rec {
     })
     # https://git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300
     ./CVE-2018-6952.patch
+
+    # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a
+    ./CVE-2019-13636.patch
+
+    # https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0
+    ./CVE-2019-13638.patch
   ];
 
   nativeBuildInputs = [ autoreconfHook ];