diff --git a/backport-CVE-2024-32487.patch b/backport-CVE-2024-32487.patch new file mode 100644 index 0000000000000000000000000000000000000000..7af27372e130d6861a2357286bf40baae01edfee --- /dev/null +++ b/backport-CVE-2024-32487.patch @@ -0,0 +1,70 @@ +From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001 +From: Mark Nudelman +Date: Thu, 11 Apr 2024 17:49:48 -0700 +Subject: [PATCH] Fix bug when viewing a file whose name contains a newline. + +--- + filename.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/filename.c b/filename.c +index 5d7a5ef..987c24a 100644 +--- a/filename.c ++++ b/filename.c +@@ -133,6 +133,15 @@ static int metachar(char c) + return (strchr(metachars(), c) != NULL); + } + ++/* ++ * Must use quotes rather than escape char for this metachar? ++ */ ++static int must_quote(char c) ++{ ++ /* {{ Maybe the set of must_quote chars should be configurable? }} */ ++ return (c == '\n'); ++} ++ + /* + * Insert a backslash before each metacharacter in a string. + */ +@@ -165,6 +174,9 @@ public char * shell_quoten(constant char *s, size_t slen) + * doesn't support escape chars. Use quotes. + */ + use_quotes = 1; ++ } else if (must_quote(*p)) ++ { ++ len += 3; /* open quote + char + close quote */ + } else + { + /* +@@ -195,15 +207,22 @@ public char * shell_quoten(constant char *s, size_t slen) + constant char *es = s + slen; + while (s < es) + { +- if (metachar(*s)) ++ if (!metachar(*s)) + { +- /* +- * Add the escape char. +- */ ++ *np++ = *s++; ++ } else if (must_quote(*s)) ++ { ++ /* Surround the char with quotes. */ ++ *np++ = openquote; ++ *np++ = *s++; ++ *np++ = closequote; ++ } else ++ { ++ /* Insert an escape char before the char. */ + strcpy(np, esc); + np += esclen; ++ *np++ = *s++; + } +- *np++ = *s++; + } + *np = '\0'; + } +-- +2.43.0 + diff --git a/backport-Implement-osc8_open.patch b/backport-Implement-osc8_open.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee2605b2fbcf95e5b858d9ce558004ce69db1622 --- /dev/null +++ b/backport-Implement-osc8_open.patch @@ -0,0 +1,69 @@ +From 90d9d12ba9d3818a0074f33c5153b577d07aa8fd Mon Sep 17 00:00:00 2001 +From: Mark Nudelman +Date: Tue, 16 Jan 2024 18:14:33 -0800 +Subject: [PATCH] Implement osc8_open(). + +--- + filename.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/filename.c b/filename.c +index 672dc94..5d7a5ef 100644 +--- a/filename.c ++++ b/filename.c +@@ -136,7 +136,7 @@ static int metachar(char c) + /* + * Insert a backslash before each metacharacter in a string. + */ +-public char * shell_quote(constant char *s) ++public char * shell_quoten(constant char *s, size_t slen) + { + constant char *p; + char *np; +@@ -151,7 +151,7 @@ public char * shell_quote(constant char *s) + * Determine how big a string we need to allocate. + */ + len = 1; /* Trailing null byte */ +- for (p = s; *p != '\0'; p++) ++ for (p = s; p < s + slen; p++) + { + len++; + if (*p == openquote || *p == closequote) +@@ -181,7 +181,7 @@ public char * shell_quote(constant char *s) + * We can't quote a string that contains quotes. + */ + return (NULL); +- len = (int) strlen(s) + 3; ++ len = slen + 3; + } + /* + * Allocate and construct the new string. +@@ -189,10 +189,11 @@ public char * shell_quote(constant char *s) + newstr = np = (char *) ecalloc(len, sizeof(char)); + if (use_quotes) + { +- SNPRINTF3(newstr, len, "%c%s%c", openquote, s, closequote); ++ SNPRINTF4(newstr, len, "%c%.*s%c", openquote, (int) slen, s, closequote); + } else + { +- while (*s != '\0') ++ constant char *es = s + slen; ++ while (s < es) + { + if (metachar(*s)) + { +@@ -209,6 +210,11 @@ public char * shell_quote(constant char *s) + return (newstr); + } + ++public char * shell_quote(char *s) ++{ ++ return shell_quoten(s, strlen(s)); ++} ++ + /* + * Return a pathname that points to a specified file in a specified directory. + * Return NULL if the file does not exist in the directory. +-- +2.43.0 + diff --git a/backport-Some-constifying.patch b/backport-Some-constifying.patch new file mode 100644 index 0000000000000000000000000000000000000000..19c8ca55809313904e691766b44cca3c1a15a86f --- /dev/null +++ b/backport-Some-constifying.patch @@ -0,0 +1,59 @@ +From 756acc92c9d6bea9929d9105207e081054be05fb Mon Sep 17 00:00:00 2001 +From: Mark Nudelman +Date: Mon, 6 Nov 2023 11:44:08 -0800 +Subject: [PATCH] Some constifying. + +--- + filename.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/filename.c b/filename.c +index a8726dc..672dc94 100644 +--- a/filename.c ++++ b/filename.c +@@ -136,12 +136,13 @@ static int metachar(char c) + /* + * Insert a backslash before each metacharacter in a string. + */ +-public char * shell_quote(char *s) ++public char * shell_quote(constant char *s) + { +- char *p; ++ constant char *p; ++ char *np; + char *newstr; + int len; +- char *esc = get_meta_escape(); ++ constant char *esc = get_meta_escape(); + int esclen = (int) strlen(esc); + int use_quotes = 0; + int have_quotes = 0; +@@ -185,7 +186,7 @@ public char * shell_quote(char *s) + /* + * Allocate and construct the new string. + */ +- newstr = p = (char *) ecalloc(len, sizeof(char)); ++ newstr = np = (char *) ecalloc(len, sizeof(char)); + if (use_quotes) + { + SNPRINTF3(newstr, len, "%c%s%c", openquote, s, closequote); +@@ -198,12 +199,12 @@ public char * shell_quote(char *s) + /* + * Add the escape char. + */ +- strcpy(p, esc); +- p += esclen; ++ strcpy(np, esc); ++ np += esclen; + } +- *p++ = *s++; ++ *np++ = *s++; + } +- *p = '\0'; ++ *np = '\0'; + } + return (newstr); + } +-- +2.43.0 + diff --git a/less.spec b/less.spec index 122b41556580aa556fdeadfa4a485a7f13e31956..1a2b337a1eca2b94f6ea6f3880e2ecd332d3122b 100644 --- a/less.spec +++ b/less.spec @@ -1,12 +1,15 @@ Name: less Version: 633 -Release: 1 +Release: 2 Summary: Less is a pager that displays text files. License: GPLv3+ or BSD URL: http://www.greenwoodsoftware.com/less Source0: http://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz Patch0: less-394-time.patch Patch1: less-475-fsync.patch +Patch2: backport-Some-constifying.patch +Patch3: backport-Implement-osc8_open.patch +Patch4: backport-CVE-2024-32487.patch BuildRequires: gcc make ncurses-devel autoconf automake libtool @@ -45,6 +48,9 @@ autoreconf -ivf %{_mandir}/man1/* %changelog +* Mon Apr 22 2024 wangjiang - 633-2 +- fix CVE-2024-32487 + * Tue Jan 30 2024 hongjinghao - 633-1 - Update to 633