From 1b51a4cbcc88e50bbbac2a7e2fa8ae919e9a2dcc Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 31 May 2024 03:30:11 +0300 Subject: [PATCH] import less-590-4.el9_4 --- SOURCES/less-590-CVE-2024-32487.patch | 65 +++++++++++++++++++++++++++ SPECS/less.spec | 8 +++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 SOURCES/less-590-CVE-2024-32487.patch diff --git a/SOURCES/less-590-CVE-2024-32487.patch b/SOURCES/less-590-CVE-2024-32487.patch new file mode 100644 index 0000000..e6ba0e8 --- /dev/null +++ b/SOURCES/less-590-CVE-2024-32487.patch @@ -0,0 +1,65 @@ +Patch backported from: + +commit 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 +Author: Mark Nudelman +Date: Thu Apr 11 17:49:48 2024 -0700 + + Fix bug when viewing a file whose name contains a newline. + +diff -up less-643/filename.c.cve-2024-32487 less-643/filename.c +--- less-643/filename.c.cve-2024-32487 2023-07-21 00:43:14.000000000 +0200 ++++ less-643/filename.c 2024-04-23 10:24:17.347269703 +0200 +@@ -128,6 +128,15 @@ static char * metachars(void) + } + + /* ++ * Must use quotes rather than escape char for this metachar? ++ */ ++static int must_quote(char c) ++{ ++ /* {{ Maybe the set of must_quote chars should be configurable? }} */ ++ return (c == '\n'); ++} ++ ++/* + * Insert a backslash before each metacharacter in a string. + */ + public char * +@@ -164,6 +173,9 @@ public char * shell_quote(char *s) + * doesn't support escape chars. Use quotes. + */ + use_quotes = 1; ++ } else if (must_quote(*p)) ++ { ++ len += 3; /* open quote + char + close quote */ + } else + { + /* +@@ -193,15 +205,22 @@ public char * shell_quote(char *s) + { + while (*s != '\0') + { +- if (metachar(*s)) ++ if (!metachar(*s)) + { +- /* +- * Add the escape char. +- */ ++ *p++ = *s++; ++ } else if (must_quote(*s)) ++ { ++ /* Surround the char with quotes. */ ++ *p++ = openquote; ++ *p++ = *s++; ++ *p++ = closequote; ++ } else ++ { ++ /* Insert an escape char before the char. */ + strcpy(p, esc); + p += esclen; ++ *p++ = *s++; + } +- *p++ = *s++; + } + *p = '\0'; + } diff --git a/SPECS/less.spec b/SPECS/less.spec index 087f65f..c5b3880 100644 --- a/SPECS/less.spec +++ b/SPECS/less.spec @@ -1,7 +1,7 @@ Summary: A text file browser similar to more, but better Name: less Version: 590 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv3+ or BSD Source0: https://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz Source1: lesspipe.sh @@ -17,6 +17,7 @@ Patch10: less-458-lesskey-usage.patch Patch11: less-458-old-bot-in-help.patch Patch12: less-590-CVE-2022-46663.patch Patch13: less-590-CVE-2022-48624.patch +Patch14: less-590-CVE-2024-32487.patch URL: https://www.greenwoodsoftware.com/less/ BuildRequires: ncurses-devel BuildRequires: autoconf automake libtool @@ -44,6 +45,7 @@ files, and you'll use it frequently. %patch11 -p1 -b .old-bot %patch12 -p1 -b .CVE-2022-46663 %patch13 -p1 -b .CVE-2022-48624 +%patch14 -p1 -b .CVE-2024-32487 %build @@ -67,6 +69,10 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d %{_mandir}/man1/* %changelog +* Tue Apr 23 2024 Matej Mužila - 590-4 +- Fix CVE-2024-32487 +- Resolves: RHEL-33773 + * Wed Feb 21 2024 Matej Mužila 590-3 - Fix CVE-2022-48624 - Resolves: RHEL-26265