Sync from SUSE:SLFO:Main less revision e0196ab6f4cd201291067a5af6442c5a
This commit is contained in:
parent
850a11be1d
commit
a97e1ba035
67
CVE-2024-32487.patch
Normal file
67
CVE-2024-32487.patch
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Nudelman <markn@greenwoodsoftware.com>
|
||||||
|
Date: Thu, 11 Apr 2024 17:49:48 -0700
|
||||||
|
Subject: [PATCH] Fix bug when viewing a file whose name contains a newline.
|
||||||
|
|
||||||
|
---
|
||||||
|
filename.c | 31 +++++++++++++++++++++++++------
|
||||||
|
1 file changed, 25 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
Index: less-633/filename.c
|
||||||
|
===================================================================
|
||||||
|
--- less-633.orig/filename.c
|
||||||
|
+++ less-633/filename.c
|
||||||
|
@@ -134,6 +134,15 @@ static int metachar(char c)
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * Must use quotes rather than escape char for this metachar?
|
||||||
|
+ */
|
||||||
|
+static int must_quote(char c)
|
||||||
|
+{
|
||||||
|
+ /* {{ Maybe the set of must_quote chars should be configurable? }} */
|
||||||
|
+ return (c == '\n');
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* Insert a backslash before each metacharacter in a string.
|
||||||
|
*/
|
||||||
|
public char * shell_quote(char *s)
|
||||||
|
@@ -164,6 +173,9 @@ public char * shell_quote(char *s)
|
||||||
|
* doesn't support escape chars. Use quotes.
|
||||||
|
*/
|
||||||
|
use_quotes = 1;
|
||||||
|
+ } else if (must_quote(*p))
|
||||||
|
+ {
|
||||||
|
+ len += 3; /* open quote + char + close quote */
|
||||||
|
} else
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
@@ -193,15 +205,22 @@ public char * shell_quote(char *s)
|
||||||
|
{
|
||||||
|
while (*s != '\0')
|
||||||
|
{
|
||||||
|
- if (metachar(*s))
|
||||||
|
+ if (!metachar(*s))
|
||||||
|
{
|
||||||
|
- /*
|
||||||
|
- * Add the escape char.
|
||||||
|
- */
|
||||||
|
+ *p++ = *s++;
|
||||||
|
+ } else if (must_quote(*s))
|
||||||
|
+ {
|
||||||
|
+ /* Surround the char with quotes. */
|
||||||
|
+ *p++ = openquote;
|
||||||
|
+ *p++ = *s++;
|
||||||
|
+ *p++ = closequote;
|
||||||
|
+ } else
|
||||||
|
+ {
|
||||||
|
+ /* Insert an escape char before the char. */
|
||||||
|
strcpy(p, esc);
|
||||||
|
p += esclen;
|
||||||
|
+ *p++ = *s++;
|
||||||
|
}
|
||||||
|
- *p++ = *s++;
|
||||||
|
}
|
||||||
|
*p = '\0';
|
||||||
|
}
|
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jun 11 21:53:49 UTC 2024 - Stanislav Brabec <sbrabec@suse.com>
|
||||||
|
|
||||||
|
- Fix CVE-2024-32487, mishandling of \n character in paths when
|
||||||
|
LESSOPEN is set leads to OS command execution
|
||||||
|
(CVE-2024-32487, bsc#1222849)
|
||||||
|
* CVE-2024-32487.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu May 4 08:12:21 UTC 2023 - Kristyna Streitova <kstreitova@suse.com>
|
Thu May 4 08:12:21 UTC 2023 - Kristyna Streitova <kstreitova@suse.com>
|
||||||
|
|
||||||
|
@ -37,6 +37,9 @@ Source5: https://www.greenwoodsoftware.com/less/less-%{version}.sig
|
|||||||
Source6: https://www.greenwoodsoftware.com/less/pubkey.asc#/%{name}.keyring
|
Source6: https://www.greenwoodsoftware.com/less/pubkey.asc#/%{name}.keyring
|
||||||
Patch0: less-429-shell.patch
|
Patch0: less-429-shell.patch
|
||||||
Patch2: less-429-more.patch
|
Patch2: less-429-more.patch
|
||||||
|
# PATCH-FIX-UPSTREAM danilo.spinella@suse.com bsc#1222849
|
||||||
|
# mishandling of \n character in paths when LESSOPEN is set leads to OS command execution
|
||||||
|
Patch3: CVE-2024-32487.patch
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: ncurses-devel
|
BuildRequires: ncurses-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
|
Loading…
Reference in New Issue
Block a user