packages/less
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!58 fix CVE-2022-48624

Browse Source 
From: @Venland 
Reviewed-by: @openeuler-basic 
Signed-off-by: @openeuler-basic
This commit is contained in:
openeuler-ci-bot 2024-02-21 02:16:04 +00:00 committed by Gitee
commit a9a4d00e99
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
backport-Shell-quote-filenames-when-invoking-LESSCLOSE.patch Normal file
View File

@ -0,0 +1,38 @@
From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
From: Mark Nudelman <markn@greenwoodsoftware.com>
Date: Sat, 25 Jun 2022 11:54:43 -0700
Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.
---
filename.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/filename.c b/filename.c
index 5824e385..dff20c08 100644
--- a/filename.c
+++ b/filename.c
@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
{
#if HAVE_POPEN
char *lessclose;
+ char *qfilename;
+ char *qaltfilename;
FILE *fd;
char *cmd;
int len;
@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG);
return;
}
- len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
+ qfilename = shell_quote(filename);
+ qaltfilename = shell_quote(altfilename);
+ len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
cmd = (char *) ecalloc(len, sizeof(char));
- SNPRINTF2(cmd, len, lessclose, filename, altfilename);
+ SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
+ free(qaltfilename);
+ free(qfilename);
fd = shellcmd(cmd);
free(cmd);
if (fd != NULL)

6
less.spec
View File

@ -1,6 +1,6 @@
Name: less
Version: 590
Release: 4
Release: 5
Summary: Less is a pager that displays text files.
License: GPLv3+ or BSD
URL: http://www.greenwoodsoftware.com/less
@ -9,6 +9,7 @@ Patch0: less-394-time.patch
Patch6000: backport-Fix-memory-leak-when-using-corrupt-lesshst-file.patch
Patch6001: backport-Fix-crash-when-enter-invaid-pattern-in-command.patch
Patch6002: backport-End-OSC8-hyperlink-on-invalid-embedded-escape-sequen.patch
Patch6003: backport-Shell-quote-filenames-when-invoking-LESSCLOSE.patch
BuildRequires: gcc make ncurses-devel autoconf automake libtool
@ -47,6 +48,9 @@ autoreconf -ivf
%{_mandir}/man1/*
%changelog
* Mon Feb 19 2024 liweigang <izmirvii@gmail.com> - 590-5
- fix CVE-2022-48624
* Thu Feb 16 2023 hongjinghao <hongjinghao@huawei.com> - 590-4
- fix CVE-2022-46663