1 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-extended/less/less/CVE-2022-48624.patch b/meta/recipes-extended/less/less/CVE-2022-48624.patch
new file mode 100644
index 0000000000..409730bd4f
--- /dev/null
+++ b/meta/recipes-extended/less/less/CVE-2022-48624.patch
@@ -0,0 +1,41 @@
+From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
+From: Mark Nudelman <markn@greenwoodsoftware.com>
+Date: Sat, 25 Jun 2022 11:54:43 -0700
+Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.
+Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]
+CVE: CVE-2022-48624
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ filename.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/filename.c b/filename.c
+index 5824e385..dff20c08 100644
+--- a/filename.c
+++ b/filename.c
+@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
+ {
+ #if HAVE_POPEN
+        char *lessclose;
+       char *qfilename;
+       char *qaltfilename;
+        FILE *fd;
+        char *cmd;
+        int len;
+@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
+                error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG);
+                return;
+        }
+-       len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
+       qfilename = shell_quote(filename);
+       qaltfilename = shell_quote(altfilename);
+       len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
+        cmd = (char *) ecalloc(len, sizeof(char));
+-       SNPRINTF2(cmd, len, lessclose, filename, altfilename);
+       SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
+       free(qaltfilename);
+       free(qfilename);
+        fd = shellcmd(cmd);
+        free(cmd);
+        if (fd != NULL)

diff --git a/meta/recipes-extended/less/less/CVE-2022-48624.patch b/meta/recipes-extended/less/less/CVE-2022-48624.patch new file mode 100644 index 0000000000..409730bd4f --- /dev/null +++ b/meta/recipes-extended/less/less/CVE-2022-48624.patch
@@ -0,0 +1,41 @@
	1	From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
	2	From: Mark Nudelman <markn@greenwoodsoftware.com>
	3	Date: Sat, 25 Jun 2022 11:54:43 -0700
	4	Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.
	5
	6	Upstream-Status: Backport [https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]
	7	CVE: CVE-2022-48624
	8	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	9	---
	10	filename.c \| 10 ++++++++--
	11	1 file changed, 8 insertions(+), 2 deletions(-)
	12
	13	diff --git a/filename.c b/filename.c
	14	index 5824e385..dff20c08 100644
	15	--- a/filename.c
	16	+++ b/filename.c
	17	@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
	18	{
	19	#if HAVE_POPEN
	20	char *lessclose;
	21	+ char *qfilename;
	22	+ char *qaltfilename;
	23	FILE *fd;
	24	char *cmd;
	25	int len;
	26	@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
	27	error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG);
	28	return;
	29	}
	30	- len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
	31	+ qfilename = shell_quote(filename);
	32	+ qaltfilename = shell_quote(altfilename);
	33	+ len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
	34	cmd = (char *) ecalloc(len, sizeof(char));
	35	- SNPRINTF2(cmd, len, lessclose, filename, altfilename);
	36	+ SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
	37	+ free(qaltfilename);
	38	+ free(qfilename);
	39	fd = shellcmd(cmd);
	40	free(cmd);
	41	if (fd != NULL)