CVE-2019-20633: 
NixOS vulnerability analysis and mitigation

GNU patch through version 2.7.6 contains a Double Free vulnerability in the function another_hunk in pch.c, identified as CVE-2019-20633. The vulnerability was discovered as an incomplete fix for a previous issue (CVE-2018-6952) and was disclosed on March 25, 2020. The vulnerability affects the GNU patch utility, which is widely used in Unix-like operating systems for applying patch files to source code (NVD, MITRE).

The vulnerability specifically involves a double free condition in the free(p_line[p_end]) operation within the another_hunk function in pch.c. The issue has been assigned a CVSS 3.1 base score of 5.5 (Medium), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability requires local access and user interaction to be exploited (Ubuntu).

When exploited, this vulnerability can lead to a denial of service condition through the crash of the patch utility when processing specially crafted patch files. The impact is primarily limited to availability, with no direct effect on confidentiality or integrity of the system (NVD).

A fix has been proposed that involves clearing the length and pointer after the pointer is released in the affected code section. The fix includes modifying the while loop to ensure proper pointer handling and prevent the double free condition. Some distributions, such as Debian, have marked this as fixed in version 2.7.6-7 (Debian Tracker).