21 年之前 · fe25785764
--- a/a2ps/a2ps.patch
+++ b/a2ps/a2ps.patch
@@ -36,3 +36,66 @@ Index: lib/path-concat.c
 
				  #ifndef DIRECTORY_SEPARATOR
			
 
				  # define DIRECTORY_SEPARATOR '/'
			
 
				  #endif
			
 
				+
			
 
				+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1170
			
 
				+    a2ps 4.13 allows remote attackers to execute arbitrary commands via
			
 
				+    shell metacharacters in the filename.
			
 
				+source: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain
			
 
				+
			
 
				+--- src/select.c.orig	Thu Dec 16 02:04:56 1999
			
 
				++++ src/select.c	Sat Aug 21 12:05:31 2004
			
 
				+@@ -131,6 +131,36 @@
			
 
				+   return 1;
			
 
				+ }
			
 
				+ 
			
 
				++/* escapes the name of a file so that the shell groks it in 'single' q.marks. 
			
 
				++   The resulting pointer has to be free()ed when not longer used. */
			
 
				++char *
			
 
				++shell_escape(const char *fn)
			
 
				++{
			
 
				++  size_t len = 0;
			
 
				++  const char *inp;
			
 
				++  char *retval, *outp;
			
 
				++
			
 
				++  for(inp = fn; *inp; ++inp)
			
 
				++    switch(*inp)
			
 
				++    {
			
 
				++      case '\'': len += 4; break;
			
 
				++      default:   len += 1; break;
			
 
				++    }
			
 
				++
			
 
				++  outp = retval = malloc(len + 1);
			
 
				++  if(!outp)
			
 
				++    return NULL; /* perhaps one should do better error handling here */
			
 
				++  for(inp = fn; *inp; ++inp)
			
 
				++    switch(*inp)
			
 
				++    {
			
 
				++      case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break;
			
 
				++      default:   *outp++ = *inp; break;
			
 
				++    }
			
 
				++  *outp = 0;
			
 
				++
			
 
				++  return retval;
			
 
				++}
			
 
				++
			
 
				+ /* What says file about the type of a file (result is malloc'd).  NULL
			
 
				+   if could not be run.  */
			
 
				+ 
			
 
				+@@ -144,11 +174,15 @@
			
 
				+   if (IS_EMPTY (job->file_command))
			
 
				+     return NULL;
			
 
				+ 
			
 
				++  filename = shell_escape(filename);
			
 
				++  if(filename == NULL)
			
 
				++    return NULL;
			
 
				+   /* Call file(1) with the correct option */
			
 
				+-  command = ALLOCA (char, (2
			
 
				++  command = ALLOCA (char, (4
			
 
				+ 			   + strlen (job->file_command)
			
 
				+ 			   + ustrlen (filename)));
			
 
				+-  sprintf (command, "%s %s", job->file_command, (const char *) filename);
			
 
				++  sprintf (command, "%s '%s'", job->file_command, (const char *) filename);
			
 
				++  free(filename);
			
 
				+   message (msg_tool, (stderr, "Reading pipe: `%s'\n", command));
			
 
				+   file_out = popen (command, "r");
			
 
				+ 
			
--- a/a2ps/a2ps.spec
+++ b/a2ps/a2ps.spec
@@ -38,7 +38,7 @@ Class:        BASE
 
				 Group:        Converter
			
 
				 License:      GPL
			
 
				 Version:      %{V_major}%{V_minor}
			
 
				-Release:      20040818
			
 
				+Release:      20050117
			
 
				 
			
 
				 #   list of sources
			
 
				 Source0:      ftp://ftp.enst.fr/pub/unix/a2ps/a2ps-%{V_major}%{V_minor}.tar.gz