diff --git a/meta/recipes-extended/less/files/CVE-2024-32487.patch b/meta/recipes-extended/less/files/CVE-2024-32487.patch new file mode 100644 index 0000000000..2d33099cd3 --- /dev/null +++ b/meta/recipes-extended/less/files/CVE-2024-32487.patch @@ -0,0 +1,74 @@ +From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001 +From: Mark Nudelman +Date: Thu, 11 Apr 2024 17:49:48 -0700 +Subject: [PATCH] Fix bug when viewing a file whose name contains a newline. + +CVE: CVE-2024-32487 + +Upstream-Status: Backport [https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33] + +Signed-off-by: Archana Polampalli +--- + filename.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/filename.c b/filename.c +index a8726dc..c4b35b1 100644 +--- a/filename.c ++++ b/filename.c +@@ -133,6 +133,15 @@ static int metachar(char c) + return (strchr(metachars(), c) != NULL); + } + ++/* ++ * Must use quotes rather than escape char for this metachar? ++ */ ++static int must_quote(char c) ++{ ++ /* {{ Maybe the set of must_quote chars should be configurable? }} */ ++ return (c == '\n'); ++} ++ + /* + * Insert a backslash before each metacharacter in a string. + */ +@@ -164,6 +173,9 @@ public char * shell_quote(char *s) + * doesn't support escape chars. Use quotes. + */ + use_quotes = 1; ++ } else if (must_quote(*p)) ++ { ++ len += 3; /* open quote + char + close quote */ + } else + { + /* +@@ -193,15 +205,22 @@ public char * shell_quote(char *s) + { + while (*s != '\0') + { +- if (metachar(*s)) ++ if (!metachar(*s)) + { +- /* +- * Add the escape char. +- */ ++ *p++ = *s++; ++ } else if (must_quote(*s)) ++ { ++ /* Surround the char with quotes. */ ++ *p++ = openquote; ++ *p++ = *s++; ++ *p++ = closequote; ++ } else ++ { ++ /* Insert an escape char before the char. */ + strcpy(p, esc); + p += esclen; ++ *p++ = *s++; + } +- *p++ = *s++; + } + *p = '\0'; + } +-- +2.40.0 diff --git a/meta/recipes-extended/less/less_643.bb b/meta/recipes-extended/less/less_643.bb index 67834bdd58..537283bde4 100644 --- a/meta/recipes-extended/less/less_643.bb +++ b/meta/recipes-extended/less/less_643.bb @@ -27,6 +27,7 @@ DEPENDS = "ncurses" SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ file://run-ptest \ + file://CVE-2024-32487.patch \ " SRC_URI[sha256sum] = "2911b5432c836fa084c8a2e68f6cd6312372c026a58faaa98862731c8b6052e8"