Note that the CVE references 1ebc60b, which removes a "/bin/sh" call, addressing the vulnerability.
Your patch incorporates the relevant code added by that commit (though it replaces a system() call, instead). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9059 https://github.com/npat-efault/picocom/commit/1ebc60b -- AE0D BF5A 92A5 ADE4 9481 BA6F 8A31 71EF 3661 50CE