Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam James <sam@gentoo.org>2024-04-14 01:47:11 +0100
committerSam James <sam@gentoo.org>2024-04-14 01:49:11 +0100
commite9856cc39c2e0ee09e32358b23a120d855e4953c (patch)
tree10f2f672d5c6f342729647b1d96dec977c025f3f
parentdev-vcs/tortoisehg: 6.6.3 version bump; add 9999.ebuild py3.12 compat (diff)
downloadgentoo-e9856cc39c2e0ee09e32358b23a120d855e4953c.tar.gz
gentoo-e9856cc39c2e0ee09e32358b23a120d855e4953c.tar.bz2
gentoo-e9856cc39c2e0ee09e32358b23a120d855e4953c.zip
sys-apps/less: fix LESSOPEN escape vulnerability
Special thanks to the less upstream maintainer, Mark Nudelman, for providing us with a backport to 643. Bug: https://bugs.gentoo.org/929210 Signed-off-by: Sam James <sam@gentoo.org>
Diffstat
-rw-r--r--sys-apps/less/files/less-643-LESSOPEN-escape.patch61
-rw-r--r--sys-apps/less/less-643-r2.ebuild97
2 files changed, 158 insertions, 0 deletions
diff --git a/sys-apps/less/files/less-643-LESSOPEN-escape.patch b/sys-apps/less/files/less-643-LESSOPEN-escape.patch
new file mode 100644
index 000000000000..f3fe50fcfaa2
--- /dev/null
+++ b/sys-apps/less/files/less-643-LESSOPEN-escape.patch
@@ -0,0 +1,61 @@
+https://openwall.com/lists/oss-security/2024/04/12/5
+https://bugs.gentoo.org/929210
+https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
+
+Upstream provided this version via email as a backport to 643.
+--- a/filename.c
++++ b/filename.c
+@@ -134,6 +134,15 @@
+ }
+
+ /*
++ * Must use quotes rather than escape char for this metachar?
++ */
++static int must_quote(char c)
++{
++ /* {{ Maybe the set of must_quote chars should be configurable? }} */
++ return (c == '\n');
++}
++
++/*
+ * Insert a backslash before each metacharacter in a string.
+ */
+ public char * shell_quote(char *s)
+@@ -164,6 +173,9 @@
+ * doesn't support escape chars. Use quotes.
+ */
+ use_quotes = 1;
++ } else if (must_quote(*p))
++ {
++ len += 3; /* open quote + char + close quote */
+ } else
+ {
+ /*
+@@ -193,15 +205,22 @@
+ {
+ while (*s != '\0')
+ {
+- if (metachar(*s))
++ if (!metachar(*s))
+ {
+- /*
+- * Add the escape char.
+- */
++ *p++ = *s++;
++ } else if (must_quote(*s))
++ {
++ /* Surround the char with quotes. */
++ *p++ = openquote;
++ *p++ = *s++;
++ *p++ = closequote;
++ } else
++ {
++ /* Insert an escape char before the char. */
+ strcpy(p, esc);
+ p += esclen;
++ *p++ = *s++;
+ }
+- *p++ = *s++;
+ }
+ *p = '\0';
+ }
diff --git a/sys-apps/less/less-643-r2.ebuild b/sys-apps/less/less-643-r2.ebuild
new file mode 100644
index 000000000000..a8159dc3fa9f
--- /dev/null
+++ b/sys-apps/less/less-643-r2.ebuild
@@ -0,0 +1,97 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Releases are usually first a beta then promoted to stable if no
+# issues were found. Upstream explicitly ask "to not generally distribute"
+# the beta versions. It's okay to keyword beta versions if they fix
+# a serious bug, but otherwise try to avoid it.
+
+WANT_AUTOMAKE=none
+WANT_LIBTOOL=none
+inherit autotools flag-o-matic optfeature toolchain-funcs
+
+DESCRIPTION="Excellent text file viewer"
+HOMEPAGE="https://www.greenwoodsoftware.com/less/"
+
+MY_PV=${PV/_beta/-beta}
+MY_P=${PN}-${MY_PV}
+
+if [[ ${PV} == 9999 ]]; then
+ EGIT_REPO_URI="https://github.com/gwsw/less"
+ inherit git-r3
+else
+ SRC_URI="https://www.greenwoodsoftware.com/less/${MY_P}.tar.gz"
+
+ if [[ ${PV} != *_beta* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ fi
+fi
+
+S="${WORKDIR}"/${MY_P/?beta}
+
+LICENSE="|| ( GPL-3 BSD-2 )"
+SLOT="0"
+IUSE="pcre test"
+# chinese1, utf8-2
+RESTRICT="test !test? ( test )"
+
+DEPEND="
+ >=app-misc/editor-wrapper-3
+ >=sys-libs/ncurses-5.2:=
+ pcre? ( dev-libs/libpcre2 )
+"
+RDEPEND="${DEPEND}"
+BDEPEND="test? ( virtual/pkgconfig )"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-643-lesstest-pkg-config.patch
+ "${FILESDIR}"/${PN}-643-LESSOPEN-escape.patch
+)
+
+src_prepare() {
+ default
+ # Per upstream README to prepare live build
+ [[ ${PV} == 9999 ]] && emake -f Makefile.aut distfiles
+ # Upstream uses unpatched autoconf-2.69, which breaks with clang-16.
+ # https://bugs.gentoo.org/870412
+ eautoreconf
+}
+
+src_configure() {
+ append-lfs-flags # bug #896316
+
+ local myeconfargs=(
+ --with-regex=$(usex pcre pcre2 posix)
+ --with-editor="${EPREFIX}"/usr/libexec/editor
+ )
+ econf "${myeconfargs[@]}"
+}
+
+src_test() {
+ emake check VERBOSE=1 CC="$(tc-getCC)" PKG_CONFIG="$(tc-getPKG_CONFIG)"
+}
+
+src_install() {
+ default
+
+ keepdir /usr/lib/lessfilter.d
+ keepdir /etc/lessfilter.d
+
+ newbin "${FILESDIR}"/lesspipe-r3.sh lesspipe
+ newenvd "${FILESDIR}"/less.envd 70less
+}
+
+pkg_preinst() {
+ optfeature "Colorized output support" dev-python/pygments
+
+ if has_version "<${CATEGORY}/${PN}-483-r1" ; then
+ elog "The lesspipe.sh symlink has been dropped. If you are still setting"
+ elog "LESSOPEN to that, you will need to update it to '|lesspipe %s'."
+ fi
+
+ if has_version "<${CATEGORY}/${PN}-643" ; then
+ elog "less now colorizes by default. To disable this, set LESSCOLOR=no."
+ fi
+}