mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-07 16:59:22 +00:00
Code Issues Projects Releases Wiki Activity

less: backport Debian patch for CVE-2024-32487

Browse Source 
import patch from ubuntu to fix
 CVE-2024-32487

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/less/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33]

(From OE-Core rev: 1456b309963d3121e5ab2bc9de02b19663ee3a43)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Vijay Anusuri
2024-05-07 10:52:57 +05:30
committed by Steve Sakoman
parent 049e890f7a
commit 197002083a
2 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-extended/less/less/CVE-2024-32487.patch
+69
View File
@@ -0,0 +1,69 @@
From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001
From: Mark Nudelman <markn@greenwoodsoftware.com>
Date: Thu, 11 Apr 2024 17:49:48 -0700
Subject: [PATCH] Fix bug when viewing a file whose name contains a newline.
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/less/tree/debian/patches/CVE-2024-32487.patch?h=ubuntu/jammy-security
Upstream commit https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33]
CVE: CVE-2024-32487
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
filename.c | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
--- a/filename.c
+++ b/filename.c
@@ -136,6 +136,15 @@ metachar(c)
}
/*
+ * Must use quotes rather than escape char for this metachar?
+ */
+static int must_quote(char c)
+{
+ /* {{ Maybe the set of must_quote chars should be configurable? }} */
+ return (c == '\n');
+}
+
+/*
* Insert a backslash before each metacharacter in a string.
*/
public char *
@@ -168,6 +177,9 @@ shell_quote(s)
* doesn't support escape chars. Use quotes.
*/
use_quotes = 1;
+ } else if (must_quote(*p))
+ {
+ len += 3; /* open quote + char + close quote */
} else
{
/*
@@ -197,15 +209,22 @@ shell_quote(s)
{
while (*s != '\0')
{
- if (metachar(*s))
+ if (!metachar(*s))
{
- /*
- * Add the escape char.
- */
+ *p++ = *s++;
+ } else if (must_quote(*s))
+ {
+ /* Surround the char with quotes. */
+ *p++ = openquote;
+ *p++ = *s++;
+ *p++ = closequote;
+ } else
+ {
+ /* Insert an escape char before the char. */
strcpy(p, esc);
p += esclen;
+ *p++ = *s++;
}
- *p++ = *s++;
}
*p = '\0';
}
meta/recipes-extended/less/less_600.bb
+1
View File
@@ -28,6 +28,7 @@ DEPENDS = "ncurses"
SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
file://CVE-2022-46663.patch \
file://CVE-2022-48624.patch \
file://CVE-2024-32487.patch \
"
SRC_URI[sha256sum] = "6633d6aa2b3cc717afb2c205778c7c42c4620f63b1d682f3d12c98af0be74d20"