Control: tags 1064293 + patch Control: tags 1064293 + pending Control: tags 1068938 + patch Control: tags 1068938 + pending
Dear maintainer, I've prepared an NMU for less (versioned as 590-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. As well pushed in a separte branch on salsa, which can be merged if accepted to unstable: https://salsa.debian.org/debian/less/-/tree/sid-2024-security-fixes?ref_type=heads Regards. Salvatore
diff -Nru less-590/debian/changelog less-590/debian/changelog --- less-590/debian/changelog 2023-03-12 17:18:18.000000000 +0100 +++ less-590/debian/changelog 2024-04-19 15:09:49.000000000 +0200 @@ -1,3 +1,13 @@ +less (590-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) + (Closes: #1064293) + * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) + (Closes: #1068938) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 19 Apr 2024 15:09:49 +0200 + less (590-2) sid; urgency=medium * d/control: set standards version to 4.6.2 diff -Nru less-590/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch less-590/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch --- less-590/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch 1970-01-01 01:00:00.000000000 +0100 +++ less-590/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch 2024-04-19 15:09:49.000000000 +0200 @@ -0,0 +1,67 @@ +From: Mark Nudelman <ma...@greenwoodsoftware.com> +Date: Thu, 11 Apr 2024 17:49:48 -0700 +Subject: Fix bug when viewing a file whose name contains a newline. +Origin: https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33 +Bug-Debian: https://bugs.debian.org/1068938 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-32487 + +--- + filename.c | 31 +++++++++++++++++++++++++------ + 1 file changed, 25 insertions(+), 6 deletions(-) + +--- a/filename.c ++++ b/filename.c +@@ -136,6 +136,15 @@ metachar(c) + } + + /* ++ * Must use quotes rather than escape char for this metachar? ++ */ ++static int must_quote(char c) ++{ ++ /* {{ Maybe the set of must_quote chars should be configurable? }} */ ++ return (c == '\n'); ++} ++ ++/* + * Insert a backslash before each metacharacter in a string. + */ + public char * +@@ -168,6 +177,9 @@ shell_quote(s) + * doesn't support escape chars. Use quotes. + */ + use_quotes = 1; ++ } else if (must_quote(*p)) ++ { ++ len += 3; /* open quote + char + close quote */ + } else + { + /* +@@ -197,15 +209,22 @@ shell_quote(s) + { + while (*s != '\0') + { +- if (metachar(*s)) ++ if (!metachar(*s)) + { +- /* +- * Add the escape char. +- */ ++ *p++ = *s++; ++ } else if (must_quote(*s)) ++ { ++ /* Surround the char with quotes. */ ++ *p++ = openquote; ++ *p++ = *s++; ++ *p++ = closequote; ++ } else ++ { ++ /* Insert an escape char before the char. */ + strcpy(p, esc); + p += esclen; ++ *p++ = *s++; + } +- *p++ = *s++; + } + *p = '\0'; + } diff -Nru less-590/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch less-590/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch --- less-590/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch 1970-01-01 01:00:00.000000000 +0100 +++ less-590/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch 2024-04-19 15:09:49.000000000 +0200 @@ -0,0 +1,43 @@ +From: Mark Nudelman <ma...@greenwoodsoftware.com> +Date: Sat, 25 Jun 2022 11:54:43 -0700 +Subject: Shell-quote filenames when invoking LESSCLOSE. +Origin: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 +Bug-Debian: https://bugs.debian.org/1064293 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48624 + +--- + filename.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/filename.c b/filename.c +index 5824e385dce4..dff20c08d81c 100644 +--- a/filename.c ++++ b/filename.c +@@ -972,6 +972,8 @@ close_altfile(altfilename, filename) + { + #if HAVE_POPEN + char *lessclose; ++ char *qfilename; ++ char *qaltfilename; + FILE *fd; + char *cmd; + int len; +@@ -986,9 +988,13 @@ close_altfile(altfilename, filename) + error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG); + return; + } +- len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2); ++ qfilename = shell_quote(filename); ++ qaltfilename = shell_quote(altfilename); ++ len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2); + cmd = (char *) ecalloc(len, sizeof(char)); +- SNPRINTF2(cmd, len, lessclose, filename, altfilename); ++ SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename); ++ free(qaltfilename); ++ free(qfilename); + fd = shellcmd(cmd); + free(cmd); + if (fd != NULL) +-- +2.43.0 + diff -Nru less-590/debian/patches/series less-590/debian/patches/series --- less-590/debian/patches/series 2023-03-12 03:01:51.000000000 +0100 +++ less-590/debian/patches/series 2024-04-19 15:09:49.000000000 +0200 @@ -1,3 +1,5 @@ less-is-more-434417.patch 02-655926-more_can_go_backwards.patch End-OSC8-hyperlink-on-invalid-embedded-escape-sequen.patch +Shell-quote-filenames-when-invoking-LESSCLOSE.patch +Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch