Accepting request 1063861 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1063861
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/less?expand=0&rev=68

cve-2022-46663.patch

@@ -0,0 +1,24 @@
+From a78e1351113cef564d790a730d657a321624d79c Mon Sep 17 00:00:00 2001
+From: Mark Nudelman <markn@greenwoodsoftware.com>
+Date: Fri, 7 Oct 2022 19:25:46 -0700
+Subject: [PATCH] End OSC8 hyperlink on invalid embedded escape sequence.
+
+---
+ line.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/line.c b/line.c
+index 236c49ae..cba7bdd1 100644
+--- a/line.c
++++ b/line.c
+@@ -633,8 +633,8 @@ ansi_step(pansi, ch)
+ 		/* Hyperlink ends with \7 or ESC-backslash. */
+ 		if (ch == '\7')
+ 			return ANSI_END;
+-		if (pansi->prev_esc && ch == '\\')
+-			return ANSI_END;
++		if (pansi->prev_esc)
++            return (ch == '\\') ? ANSI_END : ANSI_ERR;
+ 		pansi->prev_esc = (ch == ESC);
+ 		return ANSI_MID;
+ 	}

less-429-more.patch

@@ -1,6 +1,8 @@
---- option.c
-+++ option.c
-@@ -134,6 +134,10 @@
+Index: less-608/option.c
+===================================================================
+--- less-608.orig/option.c	2022-07-22 19:26:24.000000000 +0000
++++ less-608/option.c	2023-02-07 15:08:06.567552684 +0000
+@@ -171,6 +171,10 @@ scan_option(s)
  			s--;
  			optc = 'z';
  			break;

less-429-shell.patch

@@ -1,7 +1,8 @@
-diff -ru a/filename.c b/filename.c
---- a/filename.c	2020-05-11 23:36:17.000000000 +0200
-+++ b/filename.c	2020-05-12 14:01:23.624217811 +0200
-@@ -574,7 +574,7 @@
+Index: less-608/filename.c
+===================================================================
+--- less-608.orig/filename.c	2022-07-22 19:26:24.000000000 +0000
++++ less-608/filename.c	2023-02-07 15:07:55.521151736 +0000
+@@ -572,7 +572,7 @@ shellcmd(cmd)
  #if HAVE_SHELL
  	char *shell;
  
@@ -10,10 +11,11 @@ diff -ru a/filename.c b/filename.c
  	if (!isnullenv(shell))
  	{
  		char *scmd;
-diff -ru a/less.hlp b/less.hlp
---- a/less.hlp	2020-05-11 23:36:21.000000000 +0200
-+++ b/less.hlp	2020-05-12 14:00:58.680162327 +0200
-@@ -101,7 +101,7 @@
+Index: less-608/less.hlp
+===================================================================
+--- less-608.orig/less.hlp	2022-07-22 19:26:24.000000000 +0000
++++ less-608/less.hlp	2023-02-07 15:07:55.522151863 +0000
+@@ -103,7 +103,7 @@
    ___<_n_a_m_e_>             Display the setting of an option, by name.
    +_c_m_d                 Execute the less cmd each time a new file is examined.
  
@@ -22,10 +24,11 @@ diff -ru a/less.hlp b/less.hlp
    |XX_c_o_m_m_a_n_d            Pipe file between current pos & mark XX to shell command.
    s _f_i_l_e               Save input to a file.
    v                    Edit the current file with $VISUAL or $EDITOR.
-diff -ru a/less.nro b/less.nro
---- a/less.nro	2020-05-11 23:36:21.000000000 +0200
-+++ b/less.nro	2020-05-12 14:02:02.728304787 +0200
-@@ -420,7 +420,7 @@
+Index: less-608/less.nro
+===================================================================
+--- less-608.orig/less.nro	2022-07-22 19:26:24.000000000 +0000
++++ less-608/less.nro	2023-02-07 15:07:55.522151863 +0000
+@@ -443,7 +443,7 @@ current file.
  A pound sign (#) is replaced by the name of the previously examined file.
  "!!" repeats the last shell command.
  "!" with no shell command simply invokes a shell.
@@ -34,7 +37,7 @@ diff -ru a/less.nro b/less.nro
  or defaults to "sh".
  On MS-DOS and OS/2 systems, the shell is the normal command processor.
  .IP "| <m> shell-command"
-@@ -1793,7 +1793,7 @@
+@@ -2044,7 +2044,7 @@ compatible mode.
  .IP PATH
  User's search path (used to find a lesskey file
  on MS-DOS and OS/2 systems).
@@ -43,10 +46,11 @@ diff -ru a/less.nro b/less.nro
  The shell used to execute the !\& command, as well as to expand filenames.
  .IP TERM
  The type of terminal on which
-diff -ru a/lsystem.c b/lsystem.c
---- a/lsystem.c	2020-05-11 23:36:17.000000000 +0200
-+++ b/lsystem.c	2020-05-12 14:02:25.352355117 +0200
-@@ -127,13 +127,13 @@
+Index: less-608/lsystem.c
+===================================================================
+--- less-608.orig/lsystem.c	2022-07-22 19:26:24.000000000 +0000
++++ less-608/lsystem.c	2023-02-07 15:07:55.523151990 +0000
+@@ -124,13 +124,13 @@ lsystem(cmd, donemsg)
  
  	/*
  	 * Pass the command to the system to be executed.

less.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Tue Feb  7 15:02:12 UTC 2023 - Peter Simons <psimons@suse.com>
+
+- Apply "cve-2022-46663.patch" to fix a vulnerability in less that
+  could be exploited for denial-of-service attacks or even remote
+  code execution by printing specially crafted escape sequences to
+  the terminal. [CVE-2022-46663, bsc#1207815]
+
+- Refreshed all other patches with quilt to an uniform -p1 patch
+  style, which allows us to use %autosetup and simplify the spec
+  file a bit.
+
 -------------------------------------------------------------------
 Wed Sep 14 09:05:33 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
 

less.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package less
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -37,6 +37,7 @@ Source5:        https://www.greenwoodsoftware.com/less/less-%{version}.sig
 Source6:        https://www.greenwoodsoftware.com/less/pubkey.asc#/%{name}.keyring
 Patch0:         less-429-shell.patch
 Patch2:         less-429-more.patch
+Patch3:         https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c.patch#/cve-2022-46663.patch
 BuildRequires:  automake
 BuildRequires:  ncurses-devel
 BuildRequires:  pkgconfig
@@ -51,9 +52,7 @@ have to read the entire input file before starting. It is possible to
 start an editor at any time from within less.
 
 %prep
-%setup -q
-%patch0 -p1
-%patch2
+%autosetup -p1
 #
 # the ./configure script is not writable for the normal user
 # rather fix permissions for all files