From: Vijay Anusuri <vanus...@mvista.com> import patch from ubuntu to fix CVE-2024-32487
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/less/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33] Signed-off-by: Vijay Anusuri <vanus...@mvista.com> --- .../less/less/CVE-2024-32487.patch | 69 +++++++++++++++++++ meta/recipes-extended/less/less_600.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta/recipes-extended/less/less/CVE-2024-32487.patch diff --git a/meta/recipes-extended/less/less/CVE-2024-32487.patch b/meta/recipes-extended/less/less/CVE-2024-32487.patch new file mode 100644 index 0000000000..d5c8b9ce31 --- /dev/null +++ b/meta/recipes-extended/less/less/CVE-2024-32487.patch @@ -0,0 +1,69 @@ +From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001 +From: Mark Nudelman <ma...@greenwoodsoftware.com> +Date: Thu, 11 Apr 2024 17:49:48 -0700 +Subject: [PATCH] Fix bug when viewing a file whose name contains a newline. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/less/tree/debian/patches/CVE-2024-32487.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33] +CVE: CVE-2024-32487 +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> +--- + filename.c | 31 +++++++++++++++++++++++++------ + 1 file changed, 25 insertions(+), 6 deletions(-) + +--- a/filename.c ++++ b/filename.c +@@ -136,6 +136,15 @@ metachar(c) + } + + /* ++ * Must use quotes rather than escape char for this metachar? ++ */ ++static int must_quote(char c) ++{ ++ /* {{ Maybe the set of must_quote chars should be configurable? }} */ ++ return (c == '\n'); ++} ++ ++/* + * Insert a backslash before each metacharacter in a string. + */ + public char * +@@ -168,6 +177,9 @@ shell_quote(s) + * doesn't support escape chars. Use quotes. + */ + use_quotes = 1; ++ } else if (must_quote(*p)) ++ { ++ len += 3; /* open quote + char + close quote */ + } else + { + /* +@@ -197,15 +209,22 @@ shell_quote(s) + { + while (*s != '\0') + { +- if (metachar(*s)) ++ if (!metachar(*s)) + { +- /* +- * Add the escape char. +- */ ++ *p++ = *s++; ++ } else if (must_quote(*s)) ++ { ++ /* Surround the char with quotes. */ ++ *p++ = openquote; ++ *p++ = *s++; ++ *p++ = closequote; ++ } else ++ { ++ /* Insert an escape char before the char. */ + strcpy(p, esc); + p += esclen; ++ *p++ = *s++; + } +- *p++ = *s++; + } + *p = '\0'; + } diff --git a/meta/recipes-extended/less/less_600.bb b/meta/recipes-extended/less/less_600.bb index f88127a9e3..01fed7c065 100644 --- a/meta/recipes-extended/less/less_600.bb +++ b/meta/recipes-extended/less/less_600.bb @@ -28,6 +28,7 @@ DEPENDS = "ncurses" SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ file://CVE-2022-46663.patch \ file://CVE-2022-48624.patch \ + file://CVE-2024-32487.patch \ " SRC_URI[sha256sum] = "6633d6aa2b3cc717afb2c205778c7c42c4620f63b1d682f3d12c98af0be74d20" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199067): https://lists.openembedded.org/g/openembedded-core/message/199067 Mute This Topic: https://lists.openembedded.org/mt/105955401/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-