This is the combination of two NetBSD patches committed by Christos
Zoulas, based on the findings and Bitrig patch by Martin Natano.
The NetBSD log messages read:
From Martin Natano @bitrig: Use execve(2) instead of system to
apply patches that require rcs command execution instead system(3)
to avoid malicious filenames in patches causing bad things to
happen. In the process, lose SCCS support. It is not like we are
shipping sccs commands for that to work.
And:
Use absolute paths for RCS commands (Martin Natano)