commit: e9856cc39c2e0ee09e32358b23a120d855e4953c Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sun Apr 14 00:47:11 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sun Apr 14 00:49:11 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9856cc3
sys-apps/less: fix LESSOPEN escape vulnerability Special thanks to the less upstream maintainer, Mark Nudelman, for providing us with a backport to 643. Bug: https://bugs.gentoo.org/929210 Signed-off-by: Sam James <sam <AT> gentoo.org> sys-apps/less/files/less-643-LESSOPEN-escape.patch | 61 ++++++++++++++ sys-apps/less/less-643-r2.ebuild | 97 ++++++++++++++++++++++ 2 files changed, 158 insertions(+) diff --git a/sys-apps/less/files/less-643-LESSOPEN-escape.patch b/sys-apps/less/files/less-643-LESSOPEN-escape.patch new file mode 100644 index 000000000000..f3fe50fcfaa2 --- /dev/null +++ b/sys-apps/less/files/less-643-LESSOPEN-escape.patch @@ -0,0 +1,61 @@ +https://openwall.com/lists/oss-security/2024/04/12/5 +https://bugs.gentoo.org/929210 +https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33 + +Upstream provided this version via email as a backport to 643. +--- a/filename.c ++++ b/filename.c +@@ -134,6 +134,15 @@ + } + + /* ++ * Must use quotes rather than escape char for this metachar? ++ */ ++static int must_quote(char c) ++{ ++ /* {{ Maybe the set of must_quote chars should be configurable? }} */ ++ return (c == '\n'); ++} ++ ++/* + * Insert a backslash before each metacharacter in a string. + */ + public char * shell_quote(char *s) +@@ -164,6 +173,9 @@ + * doesn't support escape chars. Use quotes. + */ + use_quotes = 1; ++ } else if (must_quote(*p)) ++ { ++ len += 3; /* open quote + char + close quote */ + } else + { + /* +@@ -193,15 +205,22 @@ + { + while (*s != '\0') + { +- if (metachar(*s)) ++ if (!metachar(*s)) + { +- /* +- * Add the escape char. +- */ ++ *p++ = *s++; ++ } else if (must_quote(*s)) ++ { ++ /* Surround the char with quotes. */ ++ *p++ = openquote; ++ *p++ = *s++; ++ *p++ = closequote; ++ } else ++ { ++ /* Insert an escape char before the char. */ + strcpy(p, esc); + p += esclen; ++ *p++ = *s++; + } +- *p++ = *s++; + } + *p = '\0'; + } diff --git a/sys-apps/less/less-643-r2.ebuild b/sys-apps/less/less-643-r2.ebuild new file mode 100644 index 000000000000..a8159dc3fa9f --- /dev/null +++ b/sys-apps/less/less-643-r2.ebuild @@ -0,0 +1,97 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Releases are usually first a beta then promoted to stable if no +# issues were found. Upstream explicitly ask "to not generally distribute" +# the beta versions. It's okay to keyword beta versions if they fix +# a serious bug, but otherwise try to avoid it. + +WANT_AUTOMAKE=none +WANT_LIBTOOL=none +inherit autotools flag-o-matic optfeature toolchain-funcs + +DESCRIPTION="Excellent text file viewer" +HOMEPAGE="https://www.greenwoodsoftware.com/less/"; + +MY_PV=${PV/_beta/-beta} +MY_P=${PN}-${MY_PV} + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://github.com/gwsw/less"; + inherit git-r3 +else + SRC_URI="https://www.greenwoodsoftware.com/less/${MY_P}.tar.gz"; + + if [[ ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi +fi + +S="${WORKDIR}"/${MY_P/?beta} + +LICENSE="|| ( GPL-3 BSD-2 )" +SLOT="0" +IUSE="pcre test" +# chinese1, utf8-2 +RESTRICT="test !test? ( test )" + +DEPEND=" + >=app-misc/editor-wrapper-3 + >=sys-libs/ncurses-5.2:= + pcre? ( dev-libs/libpcre2 ) +" +RDEPEND="${DEPEND}" +BDEPEND="test? ( virtual/pkgconfig )" + +PATCHES=( + "${FILESDIR}"/${PN}-643-lesstest-pkg-config.patch + "${FILESDIR}"/${PN}-643-LESSOPEN-escape.patch +) + +src_prepare() { + default + # Per upstream README to prepare live build + [[ ${PV} == 9999 ]] && emake -f Makefile.aut distfiles + # Upstream uses unpatched autoconf-2.69, which breaks with clang-16. + # https://bugs.gentoo.org/870412 + eautoreconf +} + +src_configure() { + append-lfs-flags # bug #896316 + + local myeconfargs=( + --with-regex=$(usex pcre pcre2 posix) + --with-editor="${EPREFIX}"/usr/libexec/editor + ) + econf "${myeconfargs[@]}" +} + +src_test() { + emake check VERBOSE=1 CC="$(tc-getCC)" PKG_CONFIG="$(tc-getPKG_CONFIG)" +} + +src_install() { + default + + keepdir /usr/lib/lessfilter.d + keepdir /etc/lessfilter.d + + newbin "${FILESDIR}"/lesspipe-r3.sh lesspipe + newenvd "${FILESDIR}"/less.envd 70less +} + +pkg_preinst() { + optfeature "Colorized output support" dev-python/pygments + + if has_version "<${CATEGORY}/${PN}-483-r1" ; then + elog "The lesspipe.sh symlink has been dropped. If you are still setting" + elog "LESSOPEN to that, you will need to update it to '|lesspipe %s'." + fi + + if has_version "<${CATEGORY}/${PN}-643" ; then + elog "less now colorizes by default. To disable this, set LESSCOLOR=no." + fi +}
