Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 48126 Details for
Bug 77408
app-text/enscript CAN-2004-118{4,5,6}: Multiple issues
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CAN-2004-1184.patch
CAN-2004-1184.patch (text/plain), 4.53 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2005-01-10 13:15:57 UTC
(
hide
)
Description:
CAN-2004-1184.patch
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2005-01-10 13:15:57 UTC
Size:
4.53 KB
patch
obsolete
>diff -u -p -Nr --exclude CVS orig/enscript-1.6.3/debian/changelog enscript-1.6.3.CAN-2004-1184/debian/changelog >--- orig/enscript-1.6.3/debian/changelog 2005-01-04 20:52:31.000000000 +0100 >+++ enscript-1.6.3.CAN-2004-1184/debian/changelog 2005-01-04 21:15:17.000000000 +0100 >@@ -1,3 +1,12 @@ >+enscript (1.6.3-1.2) stable-security; urgency=high >+ >+ * Non-maintainer upload by the Security Team >+ * Corrected handling of user supplied input (filename, title) when >+ executing shell commands [src/gsint.h, src/main.c, src/util.c, >+ CAN-2004-1184] >+ >+ -- >+ > enscript (1.6.3-1.1) unstable; urgency=low > > * Non maintainer upload >diff -u -p -Nr --exclude CVS orig/enscript-1.6.3/src/gsint.h enscript-1.6.3.CAN-2004-1184/src/gsint.h >--- orig/enscript-1.6.3/src/gsint.h 2000-07-11 17:28:06.000000000 +0200 >+++ enscript-1.6.3.CAN-2004-1184/src/gsint.h 2005-01-04 20:45:24.000000000 +0100 >@@ -701,4 +701,9 @@ FILE *printer_open ___P ((char *cmd, cha > */ > void printer_close ___P ((void *context)); > >+/* >+ * Escape filenames for shell usage >+ */ >+char *shell_escape ___P ((const char *fn)); >+ > #endif /* not GSINT_H */ >diff -u -p -Nr --exclude CVS orig/enscript-1.6.3/src/main.c enscript-1.6.3.CAN-2004-1184/src/main.c >--- orig/enscript-1.6.3/src/main.c 2005-01-04 20:52:31.000000000 +0100 >+++ enscript-1.6.3.CAN-2004-1184/src/main.c 2005-01-05 10:57:44.000000000 +0100 >@@ -1555,9 +1555,13 @@ name width\theight\tllx\tlly > buffer_append (&cmd, intbuf); > buffer_append (&cmd, " "); > >- buffer_append (&cmd, "-Ddocument_title=\""); >- buffer_append (&cmd, title); >- buffer_append (&cmd, "\" "); >+ buffer_append (&cmd, "-Ddocument_title=\'"); >+ if ((cp = shell_escape (title)) != NULL) >+ { >+ buffer_append (&cmd, cp); >+ free (cp); >+ } >+ buffer_append (&cmd, "\' "); > > buffer_append (&cmd, "-Dtoc="); > buffer_append (&cmd, toc ? "1" : "0"); >@@ -1574,8 +1578,14 @@ name width\theight\tllx\tlly > /* Append input files. */ > for (i = optind; i < argc; i++) > { >- buffer_append (&cmd, " "); >- buffer_append (&cmd, argv[i]); >+ char *cp; >+ if ((cp = shell_escape (argv[i])) != NULL) >+ { >+ buffer_append (&cmd, " \'"); >+ buffer_append (&cmd, cp); >+ buffer_append (&cmd, "\'"); >+ free (cp); >+ } > } > > /* And do the job. */ >@@ -1636,7 +1645,7 @@ name width\theight\tllx\tlly > buffer_ptr (opts), buffer_len (opts)); > } > >- buffer_append (&buffer, " \"%s\""); >+ buffer_append (&buffer, " \'%s\'"); > > input_filter = buffer_copy (&buffer); > input_filter_stdin = "-"; >diff -u -p -Nr --exclude CVS orig/enscript-1.6.3/src/util.c enscript-1.6.3.CAN-2004-1184/src/util.c >--- orig/enscript-1.6.3/src/util.c 1999-09-17 17:26:51.000000000 +0200 >+++ enscript-1.6.3.CAN-2004-1184/src/util.c 2005-01-05 10:43:23.000000000 +0100 >@@ -1239,6 +1239,8 @@ escape_string (char *string) > > /* Create result. */ > cp = xmalloc (len + 1); >+ if (cp == NULL) >+ return NULL; > for (i = 0, j = 0; string[i]; i++) > switch (string[i]) > { >@@ -1879,6 +1881,7 @@ is_open (InputStream *is, FILE *fp, char > char *cmd = NULL; > int cmdlen; > int i, pos; >+ char *cp; > > is->is_pipe = 1; > >@@ -1902,12 +1905,16 @@ is_open (InputStream *is, FILE *fp, char > { > case 's': > /* Expand cmd-buffer. */ >- cmdlen += strlen (fname); >- cmd = xrealloc (cmd, cmdlen); >+ if ((cp = shell_escape (fname)) != NULL) >+ { >+ cmdlen += strlen (cp); >+ cmd = xrealloc (cmd, cmdlen); > >- /* Paste filename. */ >- strcpy (cmd + pos, fname); >- pos += strlen (fname); >+ /* Paste filename. */ >+ strcpy (cmd + pos, cp); >+ pos += strlen (cp); >+ free (cp); >+ } > > i++; > break; >@@ -2116,3 +2123,36 @@ buffer_len (Buffer *buffer) > { > return buffer->len; > } >+ >+/* >+ * Escapes the name of a file so that the shell groks it in 'single' >+ * quotation marks. The resulting pointer has to be free()ed when not >+ * longer used. >+*/ >+char * >+shell_escape(const char *fn) >+{ >+ size_t len = 0; >+ const char *inp; >+ char *retval, *outp; >+ >+ for(inp = fn; *inp; ++inp) >+ switch(*inp) >+ { >+ case '\'': len += 4; break; >+ default: len += 1; break; >+ } >+ >+ outp = retval = malloc(len + 1); >+ if(!outp) >+ return NULL; /* perhaps one should do better error handling here */ >+ for(inp = fn; *inp; ++inp) >+ switch(*inp) >+ { >+ case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break; >+ default: *outp++ = *inp; break; >+ } >+ *outp = 0; >+ >+ return retval; >+}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 77408
:
48126
|
48127
|
48128
|
48574
|
48577