tools/patch: apply upstream patch for cve-2019-13638
[openwrt/openwrt.git] / tools / patch / patches / 060-CVE-2019-13638.patch
1 From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
2 From: Andreas Gruenbacher <agruen@gnu.org>
3 Date: Fri, 6 Apr 2018 19:36:15 +0200
4 Subject: Invoke ed directly instead of using the shell
5
6 * src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
7 command to avoid quoting vulnerabilities.
8 ---
9 src/pch.c | 6 ++----
10 1 file changed, 2 insertions(+), 4 deletions(-)
11
12 diff --git a/src/pch.c b/src/pch.c
13 index 4fd5a05..16e001a 100644
14 --- a/src/pch.c
15 +++ b/src/pch.c
16 @@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
17 *outname_needs_removal = true;
18 copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
19 }
20 - sprintf (buf, "%s %s%s", editor_program,
21 - verbosity == VERBOSE ? "" : "- ",
22 - outname);
23 fflush (stdout);
24
25 pid = fork();
26 @@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
27 else if (pid == 0)
28 {
29 dup2 (tmpfd, 0);
30 - execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
31 + assert (outname[0] != '!' && outname[0] != '-');
32 + execlp (editor_program, editor_program, "-", outname, (char *) NULL);
33 _exit (2);
34 }
35 else
36 --
37 cgit v1.0-41-gc330
38