Index: lib/quotearg.c
--- lib/quotearg.c.orig	2000-01-19 09:19:48 +0100
+++ lib/quotearg.c	2004-08-06 13:34:41 +0200
@@ -59,6 +59,9 @@
 #endif
 
 #if HAVE_MBRTOWC && HAVE_WCHAR_H
+#if defined(__hpux)
+# include<sys/_mbstate_t.h>
+#endif
 # include <wchar.h>
 #else
 # define iswprint(wc) 1
Index: lib/strftime.c
--- lib/strftime.c.orig	2000-01-02 08:10:09 +0100
+++ lib/strftime.c	2004-08-06 13:35:34 +0200
@@ -67,6 +67,9 @@
 
 #if DO_MULTIBYTE
 # if HAVE_MBRLEN
+#  if defined(__hpux)
+#   include<sys/_mbstate_t.h>
+#  endif
 #  include <wchar.h>
 # else
    /* Simulate mbrlen with mblen as best we can.  */
Index: lib/path-concat.c
--- lib/path-concat.c.orig	1999-10-10 20:34:46 +0200
+++ lib/path-concat.c	2004-08-18 19:56:40 +0200
@@ -31,8 +31,6 @@
 #endif
 #include <sys/types.h>
 
-char *malloc ();
-
 #ifndef DIRECTORY_SEPARATOR
 # define DIRECTORY_SEPARATOR '/'
 #endif

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1170
    a2ps 4.13 allows remote attackers to execute arbitrary commands via
    shell metacharacters in the filename.
source: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain

--- src/select.c.orig	Thu Dec 16 02:04:56 1999
+++ src/select.c	Sat Aug 21 12:05:31 2004
@@ -131,6 +131,36 @@
   return 1;
 }
 
+/* escapes the name of a file so that the shell groks it in 'single' q.marks. 
+   The resulting pointer has to be free()ed when not longer used. */
+char *
+shell_escape(const char *fn)
+{
+  size_t len = 0;
+  const char *inp;
+  char *retval, *outp;
+
+  for(inp = fn; *inp; ++inp)
+    switch(*inp)
+    {
+      case '\'': len += 4; break;
+      default:   len += 1; break;
+    }
+
+  outp = retval = malloc(len + 1);
+  if(!outp)
+    return NULL; /* perhaps one should do better error handling here */
+  for(inp = fn; *inp; ++inp)
+    switch(*inp)
+    {
+      case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break;
+      default:   *outp++ = *inp; break;
+    }
+  *outp = 0;
+
+  return retval;
+}
+
 /* What says file about the type of a file (result is malloc'd).  NULL
   if could not be run.  */
 
@@ -144,11 +174,15 @@
   if (IS_EMPTY (job->file_command))
     return NULL;
 
+  filename = shell_escape(filename);
+  if(filename == NULL)
+    return NULL;
   /* Call file(1) with the correct option */
-  command = ALLOCA (char, (2
+  command = ALLOCA (char, (4
 			   + strlen (job->file_command)
 			   + ustrlen (filename)));
-  sprintf (command, "%s %s", job->file_command, (const char *) filename);
+  sprintf (command, "%s '%s'", job->file_command, (const char *) filename);
+  free(filename);
   message (msg_tool, (stderr, "Reading pipe: `%s'\n", command));
   file_out = popen (command, "r");