[Buildroot] [git commit branch/2022.11.x] package/less: fix CVE-2022-46663

* [Buildroot] [git commit branch/2022.11.x] package/less: fix CVE-2022-46663
@ 2023-03-04 19:38 Peter Korsgaard
  0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2023-03-04 19:38 UTC (permalink / raw)
  To: buildroot

commit: https://git.buildroot.net/buildroot/commit/?id=9f0acac3f7608a17489c9a40ad646dbaea8788b5
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2022.11.x

In GNU Less before 609, crafted data can result in "less -R" not
filtering ANSI escape sequences sent to the terminal.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 924ca9414fa962ce767c39b277489a0bdcbfad79)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...rlink-on-invalid-embedded-escape-sequence.patch | 27 ++++++++++++++++++++++
 package/less/less.mk                               |  3 +++
 2 files changed, 30 insertions(+)

diff --git a/package/less/0001-End-OSC8-hyperlink-on-invalid-embedded-escape-sequence.patch b/package/less/0001-End-OSC8-hyperlink-on-invalid-embedded-escape-sequence.patch
new file mode 100644
index 0000000000..233f949e24
--- /dev/null
+++ b/package/less/0001-End-OSC8-hyperlink-on-invalid-embedded-escape-sequence.patch
@@ -0,0 +1,27 @@
+From a78e1351113cef564d790a730d657a321624d79c Mon Sep 17 00:00:00 2001
+From: Mark Nudelman <markn@greenwoodsoftware.com>
+Date: Fri, 7 Oct 2022 19:25:46 -0700
+Subject: [PATCH] End OSC8 hyperlink on invalid embedded escape sequence.
+
+[Retrieved from:
+https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ line.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/line.c b/line.c
+index 236c49ae..cba7bdd1 100644
+--- a/line.c
++++ b/line.c
+@@ -633,8 +633,8 @@ ansi_step(pansi, ch)
+ 		/* Hyperlink ends with \7 or ESC-backslash. */
+ 		if (ch == '\7')
+ 			return ANSI_END;
+-		if (pansi->prev_esc && ch == '\\')
+-			return ANSI_END;
++		if (pansi->prev_esc)
++            return (ch == '\\') ? ANSI_END : ANSI_ERR;
+ 		pansi->prev_esc = (ch == ESC);
+ 		return ANSI_MID;
+ 	}
diff --git a/package/less/less.mk b/package/less/less.mk
index 7d7a6d5fe5..f01f94d6c8 100644
--- a/package/less/less.mk
+++ b/package/less/less.mk
@@ -11,6 +11,9 @@ LESS_LICENSE_FILES = COPYING
 LESS_CPE_ID_VENDOR = gnu
 LESS_DEPENDENCIES = ncurses
 
+# 0001-End-OSC8-hyperlink-on-invalid-embedded-escape-sequence.patch
+LESS_IGNORE_CVES += CVE-2022-46663
+
 define LESS_INSTALL_TARGET_CMDS
 	$(INSTALL) -m 0755 $(@D)/less $(TARGET_DIR)/usr/bin/less
 endef
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] only message in thread