diff options
| -rw-r--r-- | meta/recipes-extended/less/files/CVE-2024-32487.patch | 74 | ||||
| -rw-r--r-- | meta/recipes-extended/less/less_643.bb | 1 |
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-extended/less/files/CVE-2024-32487.patch b/meta/recipes-extended/less/files/CVE-2024-32487.patch new file mode 100644 index 0000000000..2d33099cd3 --- /dev/null +++ b/meta/recipes-extended/less/files/CVE-2024-32487.patch | |||
| @@ -0,0 +1,74 @@ | |||
| 1 | From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mark Nudelman <markn@greenwoodsoftware.com> | ||
| 3 | Date: Thu, 11 Apr 2024 17:49:48 -0700 | ||
| 4 | Subject: [PATCH] Fix bug when viewing a file whose name contains a newline. | ||
| 5 | |||
| 6 | CVE: CVE-2024-32487 | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33] | ||
| 9 | |||
| 10 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 11 | --- | ||
| 12 | filename.c | 29 ++++++++++++++++++++++++----- | ||
| 13 | 1 file changed, 24 insertions(+), 5 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/filename.c b/filename.c | ||
| 16 | index a8726dc..c4b35b1 100644 | ||
| 17 | --- a/filename.c | ||
| 18 | +++ b/filename.c | ||
| 19 | @@ -133,6 +133,15 @@ static int metachar(char c) | ||
| 20 | return (strchr(metachars(), c) != NULL); | ||
| 21 | } | ||
| 22 | |||
| 23 | +/* | ||
| 24 | + * Must use quotes rather than escape char for this metachar? | ||
| 25 | + */ | ||
| 26 | +static int must_quote(char c) | ||
| 27 | +{ | ||
| 28 | + /* {{ Maybe the set of must_quote chars should be configurable? }} */ | ||
| 29 | + return (c == '\n'); | ||
| 30 | +} | ||
| 31 | + | ||
| 32 | /* | ||
| 33 | * Insert a backslash before each metacharacter in a string. | ||
| 34 | */ | ||
| 35 | @@ -164,6 +173,9 @@ public char * shell_quote(char *s) | ||
| 36 | * doesn't support escape chars. Use quotes. | ||
| 37 | */ | ||
| 38 | use_quotes = 1; | ||
| 39 | + } else if (must_quote(*p)) | ||
| 40 | + { | ||
| 41 | + len += 3; /* open quote + char + close quote */ | ||
| 42 | } else | ||
| 43 | { | ||
| 44 | /* | ||
| 45 | @@ -193,15 +205,22 @@ public char * shell_quote(char *s) | ||
| 46 | { | ||
| 47 | while (*s != '\0') | ||
| 48 | { | ||
| 49 | - if (metachar(*s)) | ||
| 50 | + if (!metachar(*s)) | ||
| 51 | { | ||
| 52 | - /* | ||
| 53 | - * Add the escape char. | ||
| 54 | - */ | ||
| 55 | + *p++ = *s++; | ||
| 56 | + } else if (must_quote(*s)) | ||
| 57 | + { | ||
| 58 | + /* Surround the char with quotes. */ | ||
| 59 | + *p++ = openquote; | ||
| 60 | + *p++ = *s++; | ||
| 61 | + *p++ = closequote; | ||
| 62 | + } else | ||
| 63 | + { | ||
| 64 | + /* Insert an escape char before the char. */ | ||
| 65 | strcpy(p, esc); | ||
| 66 | p += esclen; | ||
| 67 | + *p++ = *s++; | ||
| 68 | } | ||
| 69 | - *p++ = *s++; | ||
| 70 | } | ||
| 71 | *p = '\0'; | ||
| 72 | } | ||
| 73 | -- | ||
| 74 | 2.40.0 | ||
diff --git a/meta/recipes-extended/less/less_643.bb b/meta/recipes-extended/less/less_643.bb index 67834bdd58..537283bde4 100644 --- a/meta/recipes-extended/less/less_643.bb +++ b/meta/recipes-extended/less/less_643.bb | |||
| @@ -27,6 +27,7 @@ DEPENDS = "ncurses" | |||
| 27 | 27 | ||
| 28 | SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ | 28 | SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ |
| 29 | file://run-ptest \ | 29 | file://run-ptest \ |
| 30 | file://CVE-2024-32487.patch \ | ||
| 30 | " | 31 | " |
| 31 | 32 | ||
| 32 | SRC_URI[sha256sum] = "2911b5432c836fa084c8a2e68f6cd6312372c026a58faaa98862731c8b6052e8" | 33 | SRC_URI[sha256sum] = "2911b5432c836fa084c8a2e68f6cd6312372c026a58faaa98862731c8b6052e8" |