Overview

File CVE-2022-48624.patch of Package less.33613

From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
From: Mark Nudelman <markn@greenwoodsoftware.com>
Date: Sat, 25 Jun 2022 11:54:43 -0700
Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.

---
 filename.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Index: less-458/filename.c
===================================================================
--- less-458.orig/filename.c
+++ less-458/filename.c
@@ -950,6 +950,8 @@ close_altfile(altfilename, filename, pip
 {
 #if HAVE_POPEN
 	char *lessclose;
+	char *qfilename;
+	char *qaltfilename;
 	FILE *fd;
 	char *cmd;
 	int len;
@@ -974,9 +976,13 @@ close_altfile(altfilename, filename, pip
 		error("Invalid LESSCLOSE variable");
 		return;
 	}
-	len = strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2;
+	qfilename = shell_quote(filename);
+	qaltfilename = shell_quote(altfilename);
+	len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
 	cmd = (char *) ecalloc(len, sizeof(char));
-	SNPRINTF2(cmd, len, lessclose, filename, altfilename);
+	SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
+	free(qaltfilename);
+	free(qfilename);
 	fd = shellcmd(cmd);
 	free(cmd);
 	if (fd != NULL)
openSUSE Build Service is sponsored by
Places