.gitignore

@@ -1 +1 @@
-SOURCES/less-530.tar.gz
+SOURCES/less-590.tar.gz

.less.metadata

@@ -1 +1 @@
-d8ba1f43e88b706ef701f978cd3262b5b44dffd6 SOURCES/less-530.tar.gz
+82188f425b5197c24b834ae80b95ec07be442c78 SOURCES/less-590.tar.gz

SOURCES/less-458-less-filters-man.patch

@@ -1,22 +1,24 @@
 diff -up less-466/less.nro.filters-man less-466/less.nro
 --- less-466/less.nro.filters-man	2014-09-18 14:32:32.124111631 +0200
 +++ less-466/less.nro	2014-09-18 14:32:39.548177152 +0200
-@@ -1234,6 +1234,18 @@ Similarly, if the first two characters o
+@@ -1323,7 +1323,19 @@ Similarly, if the first two characters of LESSOPEN are vertical bar and dash
  the input pipe is used on standard input as well as other files.
  Again, in this case the dash is not considered to be part of
  the input pipe command.
+-.
 +.PP
 +There are used following files to set up default preprocessor:
 +.br
-+	/etc/profile.d/less.sh
++       /etc/profile.d/less.sh
 +.br
-+	/etc/profile.d/less.csh
++       /etc/profile.d/less.csh
 +.br
 +These files set up /usr/bin/lesspipe.sh as a default filter. An user defined
 +filter can be specified in ~/.lessfilter. This file should have an execute bit
 +set and accept only one parameter, which represents a filename. If
 +the user defined filter process the file, zero should be returned. Otherwise
 +~/.lessfilter tries to handle the file.
- 
++
  .SH "NATIONAL CHARACTER SETS"
  There are three types of characters in the input file:
+ .IP "normal characters"

SOURCES/less-458-lessecho-usage.patch

@@ -2,7 +2,7 @@ diff -upr less-458_orig/lessecho.c less-458_work/lessecho.c
 --- less-458_orig/lessecho.c	2013-05-07 14:03:52.091104655 +0200
 +++ less-458_work/lessecho.c	2013-05-07 11:21:10.883991862 +0200
 @@ -41,7 +41,27 @@ static int num_metachars = 0;
- pr_usage()
+ pr_usage(VOID_PARAM)
  {
  	fprintf(stderr,
 -		"usage: lessecho [-ox] [-cx] [-pn] [-dn] [-mx] [-nn] [-ex] [-fn] [-a] file ...\n");

SOURCES/less-458-lesskey-usage.patch

@@ -2,8 +2,8 @@ diff -upr less-458_orig/lesskey.c less-458_work/lesskey.c
 --- less-458_orig/lesskey.c	2013-05-07 14:03:52.062104533 +0200
 +++ less-458_work/lesskey.c	2013-05-07 11:21:10.881991855 +0200
 @@ -217,7 +217,15 @@ extern char version[];
- 	void
- usage()
+ 	static void
+ usage(void)
  {
 -	fprintf(stderr, "usage: lesskey [-o output] [input]\n");
 +	fprintf(stderr, "usage: lesskey [-o output] [input]\n\n");

SOURCES/less-475-fsync.patch

@@ -1,7 +1,15 @@
-diff -ur less-418.orig/configure.ac less-418/configure.ac
---- less-418.orig/configure.ac	2008-12-22 07:10:44.000000000 -0500
-+++ less-418/configure.ac	2008-12-22 07:28:58.000000000 -0500
-@@ -203,6 +203,8 @@
+From 5396b6b77d0248678f716038dc747d6898acb0b3 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Fri, 22 Jan 2021 09:49:13 -0500
+Subject: [PATCH] Test for fsync on tty
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+
+Modified for less 581.2 Filip Januš <fjanus@redhat.com>
+diff -ur less-581.2/configure.ac less_fsync/configure.ac
+--- less-581.2/configure.ac	2021-04-28 17:00:08.000000000 +0200
++++ less_fsync/configure.ac	2021-05-06 10:59:07.560062397 +0200
+@@ -221,6 +221,8 @@
  	[Define HAVE_TIME_T if your system supports the "time_t" type.])
  AH_TEMPLATE([HAVE_STRERROR],
  	[Define HAVE_STRERROR if you have the strerror() function.])
@@ -10,16 +18,16 @@ diff -ur less-418.orig/configure.ac less-418/configure.ac
  AH_TEMPLATE([HAVE_FILENO],
  	[Define HAVE_FILENO if you have the fileno() macro.])
  AH_TEMPLATE([HAVE_ERRNO],
-@@ -251,7 +253,7 @@
+@@ -274,7 +276,7 @@
  
  # Checks for library functions.
  AC_TYPE_SIGNAL
--AC_CHECK_FUNCS([fsync popen _setjmp sigprocmask sigsetmask snprintf stat system fchmod])
-+AC_CHECK_FUNCS([popen _setjmp sigprocmask sigsetmask snprintf stat system fchmod])
+-AC_CHECK_FUNCS([fchmod fsync nanosleep poll popen realpath _setjmp sigprocmask sigsetmask snprintf stat system ttyname usleep])
++AC_CHECK_FUNCS([fchmod nanosleep poll popen realpath _setjmp sigprocmask sigsetmask snprintf stat system ttyname usleep])
  
  # AC_CHECK_FUNCS may not work for inline functions, so test these separately.
  AC_MSG_CHECKING(for memcpy)
-@@ -298,6 +300,16 @@
+@@ -321,6 +323,16 @@
  #endif], [static char *x; x = strerror(0);],
    [AC_MSG_RESULT(yes); AC_DEFINE(HAVE_STRERROR)], [AC_MSG_RESULT(no)])
  

SOURCES/less-590-CVE-2022-46663.patch

@@ -0,0 +1,21 @@
+commit a78e1351113cef564d790a730d657a321624d79c
+Author: Mark Nudelman <markn@greenwoodsoftware.com>
+Date:   Fri Oct 7 19:25:46 2022 -0700
+
+    End OSC8 hyperlink on invalid embedded escape sequence.
+
+diff --git a/line.c b/line.c
+index 236c49a..cba7bdd 100644
+--- a/line.c
++++ b/line.c
+@@ -633,8 +633,8 @@ ansi_step(pansi, ch)
+ 		/* Hyperlink ends with \7 or ESC-backslash. */
+ 		if (ch == '\7')
+ 			return ANSI_END;
+-		if (pansi->prev_esc && ch == '\\')
+-			return ANSI_END;
++		if (pansi->prev_esc)
++            return (ch == '\\') ? ANSI_END : ANSI_ERR;
+ 		pansi->prev_esc = (ch == ESC);
+ 		return ANSI_MID;
+ 	}

SOURCES/less-590-fix_sast1.patch

@@ -0,0 +1,26 @@
+diff -up less-590/command.c.fix_sast1 less-590/command.c
+--- less-590/command.c.fix_sast1	2021-06-03 19:45:48.000000000 +0200
++++ less-590/command.c	2024-08-06 23:28:58.042048590 +0200
+@@ -927,8 +927,8 @@ getcc_repl(orig, repl, gr_getc, gr_unget
+ 	LWCHAR (*gr_getc)(VOID_PARAM);
+ 	void (*gr_ungetc)(LWCHAR);
+ {
+-	LWCHAR c;
+-	LWCHAR keys[16];
++	char c;
++	char keys[16];
+ 	int ki = 0;
+ 
+ 	c = (*gr_getc)();
+diff -up less-590/decode.c.fix_sast1 less-590/decode.c
+--- less-590/decode.c.fix_sast1	2024-08-06 23:28:58.041048580 +0200
++++ less-590/decode.c	2024-08-06 23:29:55.715615701 +0200
+@@ -934,7 +934,7 @@ add_hometable(call_lesskey, envname, def
+ 	char *def_filename;
+ 	int sysvar;
+ {
+-	char *filename;
++	char *filename = NULL;
+ 	int r;
+ 
+ 	if (envname != NULL && (filename = lgetenv(envname)) != NULL)

SOURCES/less-590-fix_sast2.patch

@@ -0,0 +1,53 @@
+diff -up less-590/lesskey_parse.c.fix_sast2 less-590/lesskey_parse.c
+--- less-590/lesskey_parse.c.fix_sast2	2024-08-06 23:42:33.839079731 +0200
++++ less-590/lesskey_parse.c	2024-08-06 23:47:17.433874330 +0200
+@@ -548,9 +548,9 @@ parse_lesskey(infile, tables)
+ 	FILE *desc;
+ 	char line[1024];
+ 
+-	if (infile == NULL)
+-		infile = homefile(DEF_LESSKEYINFILE);
+-	lesskey_file = infile;
++	lesskey_file = (infile != NULL) ? strdup(infile) : homefile(DEF_LESSKEYINFILE);
++	if (lesskey_file == NULL)
++		return (-1);
+ 
+ 	init_tables(tables);
+ 	errors = 0;
+@@ -559,22 +559,29 @@ parse_lesskey(infile, tables)
+ 	/*
+ 	 * Open the input file.
+ 	 */
+-	if (strcmp(infile, "-") == 0)
++	if (strcmp(lesskey_file, "-") == 0)
+ 		desc = stdin;
+-	else if ((desc = fopen(infile, "r")) == NULL)
++	else if ((desc = fopen(lesskey_file, "r")) == NULL)
+ 	{
+-		/* parse_error("cannot open lesskey file ", infile); */
+-		return (-1);
++		/* parse_error("cannot open lesskey file %s", lesskey_file); */
++		errors = -1;
+ 	}
+ 
+ 	/*
+ 	 * Read and parse the input file, one line at a time.
+ 	 */
+-	while (fgets(line, sizeof(line), desc) != NULL)
++	if (desc != NULL)
+ 	{
+-		++linenum;
+-		parse_line(line, tables);
++		while (fgets(line, sizeof(line), desc) != NULL)
++		{
++			++linenum;
++			parse_line(line, tables);
++		}
++		if (desc != stdin)
++			fclose(desc);
+ 	}
++	free(lesskey_file);
++	lesskey_file = NULL;
+ 
+ 	return (errors);
+ }

SOURCES/lesspipe.sh

@@ -51,10 +51,13 @@ manfilter ()
 export MAN_KEEP_FORMATTING=1
 
 case "$1" in
-*.[1-9n].bz2|*.[1-9]x.bz2|*.man.bz2|*.[1-9n].[gx]z|*.[1-9]x.[gx]z|*.man.[gx]z|*.[1-9n].lzma|*.[1-9]x.lzma|*.man.lzma)
+*.[1-9n].bz2|*.[1-9]x.bz2|*.man.bz2|*.[1-9n].[glx]z|*.[1-9]x.[glx]z|*.man.[glx]z|*.[1-9n].lzma|*.[1-9]x.lzma|*.man.lzma|*.[1-9n].zst|*.[1-9]x.zst|*.man.zst|*.[1-9n].br|*.[1-9]x.br|*.man.br)
 	case "$1" in
 	*.gz)		DECOMPRESSOR="gzip -dc" ;;
 	*.bz2)		DECOMPRESSOR="bzip2 -dc" ;;
+	*.lz)		DECOMPRESSOR="lzip -dc" ;;
+	*.zst)		DECOMPRESSOR="zstd -dcq" ;;
+	*.br)		DECOMPRESSOR="brotli -dc" ;;
 	*.xz|*.lzma)	DECOMPRESSOR="xz -dc" ;;
 	esac
 	if [ -n "$DECOMPRESSOR" ] && $DECOMPRESSOR -- "$1" | file - | grep -q troff; then
@@ -70,6 +73,12 @@ case "$1" in
 *.tgz|*.tar.gz|*.tar.[zZ]) tar tzvvf "$1"; exit $? ;;
 *.tar.xz) tar Jtvvf "$1"; exit $? ;;
 *.xz|*.lzma) xz -dc -- "$1"; exit $? ;;
+*.tar.lz) tar --lzip -tvvf "$1"; exit $? ;;
+*.lz) lzip -dc -- "$1"; exit $? ;;
+*.tar.zst) tar --zstd -tvvf "$1"; exit $? ;;
+*.zst) zstd -dcq -- "$1"; exit $? ;;
+*.tar.br) brotli -dc -- "$1" | tar tvvf -; exit $? ;;
+*.br) brotli -dc -- "$1"; exit $? ;;
 *.tar.bz2|*.tbz2) bzip2 -dc -- "$1" | tar tvvf -; exit $? ;;
 *.[zZ]|*.gz) gzip -dc -- "$1"; exit $? ;;
 *.bz2) bzip2 -dc -- "$1"; exit $? ;;

SPECS/less.spec

@@ -1,61 +1,74 @@
 Summary: A text file browser similar to more, but better
 Name: less
-Version: 530
-Release: 3%{?dist}
+Version: 590
+Release: 5%{?dist}
 License: GPLv3+ or BSD
-Group: Applications/Text
-Source: http://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz
+Source0: https://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz
 Source1: lesspipe.sh
 Source2: less.sh
 Source3: less.csh
 Patch4: less-394-time.patch
-Patch5: less-418-fsync.patch
+Patch5: less-475-fsync.patch
 Patch6: less-436-manpage-add-old-bot-option.patch
 Patch7: less-436-help.patch
 Patch8: less-458-lessecho-usage.patch
 Patch9: less-458-less-filters-man.patch
 Patch10: less-458-lesskey-usage.patch
 Patch11: less-458-old-bot-in-help.patch
-Patch12: less-530-CVE-2022-48624.patch
-Patch13: less-530-CVE-2024-32487.patch
-URL: http://www.greenwoodsoftware.com/less/
+Patch12: less-590-CVE-2022-46663.patch
+Patch13: less-590-CVE-2022-48624.patch
+# from upstream, for less < 661 , RHEL-32739
+Patch14: less-590-CVE-2024-32487.patch
+
+# from upstream, for less < 661, RHEL-51178
+# based on https://github.com/gwsw/less/commit/2a79e5cd341f9c8437a71096c23c8fe8e94b7d0a
+# based on https://github.com/gwsw/less/commit/987ebdc424c4865bf883eb0b11aea2b261b353f2
+Patch15: less-590-fix_sast1.patch
+
+# from upstream, for less < 661, based on commit#1649cc355a9eb824837feb4359828f5627e2eb69, RHEL-51178
+Patch16: less-590-fix_sast2.patch
+URL: https://www.greenwoodsoftware.com/less/
 BuildRequires: ncurses-devel
 BuildRequires: autoconf automake libtool
+BuildRequires: make
 
 %description
 The less utility is a text file browser that resembles more, but has
 more capabilities.  Less allows you to move backwards in the file as
 well as forwards.  Since less doesn't have to read the entire input file
 before it starts, less starts up more quickly than text editors (for
-example, vi). 
+example, vi).
 
 You should install less because it is a basic utility for viewing text
 files, and you'll use it frequently.
 
 %prep
 %setup -q
-%patch4 -p1 -b .time
-%patch5 -p1 -b .fsync
-%patch6 -p1 -b .manpage-add-old-bot-option
-%patch7 -p1 -b .help
-%patch8 -p1 -b .lessecho-usage
-%patch9 -p1 -b .less-filters-man
-%patch10 -p1 -b .lesskey-usage
-%patch11 -p1 -b .old-bot
-%patch12 -p1 -b .CVE-2022-48624
-%patch13 -p1 -b .CVE-2024-32487
+%patch -P 4 -p1 -b .time
+%patch -P 5 -p1 -b .fsync
+%patch -P 6 -p1 -b .manpage-add-old-bot-option
+%patch -P 7 -p1 -b .help
+%patch -P 8 -p1 -b .lessecho-usage
+%patch -P 9 -p1 -b .less-filters-man
+%patch -P 10 -p1 -b .lesskey-usage
+%patch -P 11 -p1 -b .old-bot
+%patch -P 12 -p1 -b .CVE-2022-46663
+%patch -P 13 -p1 -b .CVE-2022-48624
+%patch -P 14 -p1 -b .CVE-2024-32487
+%patch -P 15 -p1 -b .fix_sast1
+%patch -P 16 -p1 -b .fix_sast2
 
 
 %build
 rm -f ./configure
 autoreconf -fiv
 %configure
-make %{?_smp_mflags} CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
+%make_build CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
 
 %install
 %make_install
 mkdir -p $RPM_BUILD_ROOT/etc/profile.d
-install -p        %{SOURCE1} $RPM_BUILD_ROOT/%{_bindir}
+install -p        %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}
 install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc/profile.d
 install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d
 
@@ -67,13 +80,69 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d
 %{_mandir}/man1/*
 
 %changelog
-* Tue Apr 23 2024 Matej Mužila <mmuzila@redhat.com> - 530-3
-- Fix CVE-2024-32487
-- Resolves: RHEL-32738
+* Tue Aug 06 2024 Michal Hlavinka <mhlavink@redhat.com> - 590-5
+- fix static analysis findings (RHEL-51178)
 
-* Wed Feb 21 2024 Matej Mužila <mmuzila@redhat.com> - 530-2
+* Tue Aug 06 2024 Michal Hlavinka <mhlavink@redhat.com> - 590-4
+- fix less with LESSOPEN allowing command injection (CVE-2024-32487) (RHEL-32739)
+
+* Wed Feb 21 2024 Matej Mužila <mmuzila@redhat.com> 590-3
 - Fix CVE-2022-48624
-- Resolves: RHEL-26124
+- Resolves: RHEL-26265
+
+* Thu Apr 20 2023 Matej Mužila <mmuzila@redhat.com> 590-2
+- Fix CVE-2022-46663
+- Resolves: CVE-2022-46663
+
+* Tue Apr 19 2022 Honza Horak <hhorak@redhat.com> - 590-1
+- Update to the version 590
+- Also solves the "message overlay" in the terminal
+  Resolves: #2062188
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 575-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 575-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 575-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Stephen Gallagher <sgallagh@redhat.com> - 575-1
+- Update to latest version (#1919119)
+
+* Mon Nov 30 2020 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 568-1
+- Update to latest version (#1818534)
+
+* Thu Aug 20 2020 Andrew Schorr <ajschorr@fedoraproject.org> - 551-5
+- Add zstd and brotli support to lesspipe.sh
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 551-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 551-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 551-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Jul 17 2019 Matej Mužila <mmuzila@redhat.com> - 551-1
+- Update to new upstream release
+- Resolves: #1719419
+
+* Tue Jun 04 2019 Matej Mužila <mmuzila@redhat.com> - 550-1
+- Update to new upstream release
+- Resolves: #1674080
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 530-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 09 2019 Pavel Raiskup <praiskup@redhat.com> - 530-3
+- add lzip compression support into lesspipe.sh (rhbz#1664383)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 530-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Sat Feb 17 2018 Pavel Raiskup <praiskup@redhat.com> - 530-1
 - new release, per upstream release notes: