rpms/less
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2024-32487

Browse Source 
Add gating.yaml
Resolves: RHEL-32740
This commit is contained in:
Matej Mužila 2024-04-23 12:43:26 +02:00
parent 49993f9ad0
commit cb00d47eba
3 changed files with 79 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

65
less-643-CVE-2024-32487.patch Normal file
View File

@ -0,0 +1,65 @@
Patch backported from:
commit 007521ac3c95bc76e3d59c6dbfe75d06c8075c33
Author: Mark Nudelman <markn@greenwoodsoftware.com>
Date: Thu Apr 11 17:49:48 2024 -0700
Fix bug when viewing a file whose name contains a newline.
diff -up less-643/filename.c.cve-2024-32487 less-643/filename.c
--- less-643/filename.c.cve-2024-32487 2023-07-21 00:43:14.000000000 +0200
+++ less-643/filename.c 2024-04-23 10:24:17.347269703 +0200
@@ -128,6 +128,15 @@ static char * metachars(void)
}
/*
+ * Must use quotes rather than escape char for this metachar?
+ */
+static int must_quote(char c)
+{
+ /* {{ Maybe the set of must_quote chars should be configurable? }} */
+ return (c == '\n');
+}
+
+/*
* Insert a backslash before each metacharacter in a string.
*/
public char * shell_quote(char *s)
@@ -164,6 +173,9 @@ public char * shell_quote(char *s)
* doesn't support escape chars. Use quotes.
*/
use_quotes = 1;
+ } else if (must_quote(*p))
+ {
+ len += 3; /* open quote + char + close quote */
} else
{
/*
@@ -193,15 +205,22 @@ public char * shell_quote(char *s)
{
while (*s != '\0')
{
- if (metachar(*s))
+ if (!metachar(*s))
{
- /*
- * Add the escape char.
- */
+ *p++ = *s++;
+ } else if (must_quote(*s))
+ {
+ /* Surround the char with quotes. */
+ *p++ = openquote;
+ *p++ = *s++;
+ *p++ = closequote;
+ } else
+ {
+ /* Insert an escape char before the char. */
strcpy(p, esc);
p += esclen;
+ *p++ = *s++;
}
- *p++ = *s++;
}
*p = '\0';
}

9
less.spec
View File

@ -1,7 +1,7 @@
Summary: A text file browser similar to more, but better Summary: A text file browser similar to more, but better
Name: less Name: less
Version: 643 Version: 643
Release: 4%{?dist} Release: 5%{?dist}
License: GPL-3.0-only and BSD-2-Clause License: GPL-3.0-only and BSD-2-Clause
Source0: https://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz Source0: https://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz
Source1: lesspipe.sh Source1: lesspipe.sh
@ -14,6 +14,7 @@ Patch8: less-458-lessecho-usage.patch
Patch9: less-458-less-filters-man.patch Patch9: less-458-less-filters-man.patch
Patch10: less-458-lesskey-usage.patch Patch10: less-458-lesskey-usage.patch
Patch11: less-458-old-bot-in-help.patch Patch11: less-458-old-bot-in-help.patch
Patch12: less-643-CVE-2024-32487.patch
URL: https://www.greenwoodsoftware.com/less/ URL: https://www.greenwoodsoftware.com/less/
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
@ -38,6 +39,7 @@ files, and you'll use it frequently.
%patch9 -p1 -b .less-filters-man %patch9 -p1 -b .less-filters-man
%patch10 -p1 -b .lesskey-usage %patch10 -p1 -b .lesskey-usage
%patch11 -p1 -b .old-bot %patch11 -p1 -b .old-bot
%patch12 -p1 -b .CVE-2024-32487
%build %build
@ -61,6 +63,11 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Tue Apr 23 2024 Matej Mužila <mmuzila@redhat.com> - 643-5
- Fix CVE-2024-32487
- Add gating.yaml
- Resolves: RHEL-32740
* Tue Feb 06 2024 Matej Mužila <mmuzila@redhat.com> - 643-4 * Tue Feb 06 2024 Matej Mužila <mmuzila@redhat.com> - 643-4
- migrated to SPDX license - migrated to SPDX license