Browse Source

Merge pull request #9692 from RussellSenior/patch-cve-13638

patch: apply upstream patch for CVE-2019-13638
lilik-openwrt-22.03
Rosen Penev 5 years ago
committed by GitHub
parent
commit
b38ca10029
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 39 additions and 1 deletions
  1. +1
    -1
      devel/patch/Makefile
  2. +38
    -0
      devel/patch/patches/060-CVE-2019-13638.patch

+ 1
- 1
devel/patch/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=patch PKG_NAME:=patch
PKG_VERSION:=2.7.6 PKG_VERSION:=2.7.6
PKG_RELEASE:=4
PKG_RELEASE:=5
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GNU/patch PKG_SOURCE_URL:=@GNU/patch


+ 38
- 0
devel/patch/patches/060-CVE-2019-13638.patch View File

@ -0,0 +1,38 @@
From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
From: Andreas Gruenbacher <agruen@gnu.org>
Date: Fri, 6 Apr 2018 19:36:15 +0200
Subject: Invoke ed directly instead of using the shell
* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
command to avoid quoting vulnerabilities.
---
src/pch.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/pch.c b/src/pch.c
index 4fd5a05..16e001a 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
*outname_needs_removal = true;
copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
}
- sprintf (buf, "%s %s%s", editor_program,
- verbosity == VERBOSE ? "" : "- ",
- outname);
fflush (stdout);
pid = fork();
@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
else if (pid == 0)
{
dup2 (tmpfd, 0);
- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
+ assert (outname[0] != '!' && outname[0] != '-');
+ execlp (editor_program, editor_program, "-", outname, (char *) NULL);
_exit (2);
}
else
--
cgit v1.0-41-gc330

Loading…
Cancel
Save