import UBI less-530-3.el8_10

2024-07-02 18:46:45 +00:00 · 2024-07-02 18:46:45 +00:00 · 8472879562
commit 8472879562
parent 73b29de2ff
2 changed files with 76 additions and 5 deletions
--- a/SOURCES/less-530-CVE-2024-32487.patch
+++ b/SOURCES/less-530-CVE-2024-32487.patch
@ -0,0 +1,65 @@
+Patch backported from:
+
+commit 007521ac3c95bc76e3d59c6dbfe75d06c8075c33
+Author: Mark Nudelman <markn@greenwoodsoftware.com>
+Date:   Thu Apr 11 17:49:48 2024 -0700
+
+    Fix bug when viewing a file whose name contains a newline.
+
+diff -up less-643/filename.c.cve-2024-32487 less-643/filename.c
+--- less-643/filename.c.cve-2024-32487	2023-07-21 00:43:14.000000000 +0200
+++ less-643/filename.c	2024-04-23 10:24:17.347269703 +0200
+@@ -128,6 +128,15 @@ static char * metachars(void)
+ }
+ 
+ /*
+ * Must use quotes rather than escape char for this metachar?
+ */
+static int must_quote(char c)
+{
+	/* {{ Maybe the set of must_quote chars should be configurable? }} */
+	return (c == '\n'); 
+}
+
+/*
+  * Insert a backslash before each metacharacter in a string.
+  */
+	public char *
+@@ -164,6 +173,9 @@ public char * shell_quote(char *s)
+ 				 * doesn't support escape chars.  Use quotes.
+ 				 */
+ 				use_quotes = 1;
+			} else if (must_quote(*p))
+			{
+				len += 3; /* open quote + char + close quote */
+ 			} else
+ 			{
+ 				/*
+@@ -193,15 +205,22 @@ public char * shell_quote(char *s)
+ 	{
+ 		while (*s != '\0')
+ 		{
+-			if (metachar(*s))
+			if (!metachar(*s))
+ 			{
+-				/*
+-				 * Add the escape char.
+-				 */
+				*p++ = *s++;
+			} else if (must_quote(*s))
+			{
+				/* Surround the char with quotes. */
+				*p++ = openquote;
+				*p++ = *s++;
+				*p++ = closequote;
+			} else
+			{
+				/* Insert an escape char before the char. */
+ 				strcpy(p, esc);
+ 				p += esclen;
+				*p++ = *s++;
+ 			}
+-			*p++ = *s++;
+ 		}
+ 		*p = '\0';
+ 	}
--- a/SPECS/less.spec
+++ b/SPECS/less.spec
@ -1,7 +1,7 @@
 Summary: A text file browser similar to more, but better
 Name: less
 Version: 530
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv3+ or BSD
 Group: Applications/Text
 Source: http://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz
@ -17,7 +17,7 @@ Patch9: less-458-less-filters-man.patch
 Patch10: less-458-lesskey-usage.patch
 Patch11: less-458-old-bot-in-help.patch
 Patch12: less-530-CVE-2022-48624.patch
-
+Patch13: less-530-CVE-2024-32487.patch
 URL: http://www.greenwoodsoftware.com/less/
 BuildRequires: ncurses-devel
 BuildRequires: autoconf automake libtool
@ -43,6 +43,8 @@ files, and you'll use it frequently.
 %patch10 -p1 -b .lesskey-usage
 %patch11 -p1 -b .old-bot
 %patch12 -p1 -b .CVE-2022-48624
+%patch13 -p1 -b .CVE-2024-32487
+

 %build
 rm -f ./configure
@ -65,9 +67,13 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d
 %{_mandir}/man1/*

 %changelog
-* Tue Mar 05 2024 Prachi Chavan <pracchav@redhat.com> - 530-2
- Fix: CVE-2022-48624
- Resolves: RHEL-26123
+* Tue Apr 23 2024 Matej Mužila <mmuzila@redhat.com> - 530-3
+- Fix CVE-2024-32487
+- Resolves: RHEL-32738
+
+* Wed Feb 21 2024 Matej Mužila <mmuzila@redhat.com> - 530-2
+- Fix CVE-2022-48624
+- Resolves: RHEL-26124

 * Sat Feb 17 2018 Pavel Raiskup <praiskup@redhat.com> - 530-1
 - new release, per upstream release notes: