Projects
Factory:RISC-V:Base
patch
_service:tar_scm:CVE-2018-20969-and-CVE-2019-13...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2018-20969-and-CVE-2019-13638.patch of Package patch
From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Fri Apr 06 20:50:06 2018 From: Andreas Gruenbacher <agruen@gnu.org> Date: Fri, 06 Apr 2018 19:36:15 +0200 Subject: [PATCH] Invoke ed directly instead of using the shell * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell command to avoid quoting vulnerabilities. fix CVE-2019-13638 CVE-2018-20969 https://git.savannah.gnu.org/cgit/patch.git/commit/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0 --- src/pch.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/pch.c b/src/pch.c index a602cbb..250308d 100644 --- a/src/pch.c +++ b/src/pch.c @@ -2471,9 +2471,6 @@ do_ed_script (char const *inname, char const *outname, *outname_needs_removal = true; copy_file (inname, outname, 0, exclusive, instat.st_mode, true); } - sprintf (buf, "%s %s%s", editor_program, - verbosity == VERBOSE ? "" : "- ", - outname); fflush (stdout); pid = fork(); @@ -2482,7 +2479,8 @@ do_ed_script (char const *inname, char const *outname, else if (pid == 0) { dup2 (tmpfd, 0); - execl ("/bin/sh", "sh", "-c", buf, (char *) 0); + assert (outname[0] != '!' && outname[0] != '-'); + execlp (editor_program, editor_program, "-", outname, (char *) NULL); _exit (2); } else -- 1.8.3.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2