enscript-CVE-2004-1184+CVE-2004-1185+CVE-2004-1186.patch [plain text]
diff -r -u -N --exclude='*.orig' enscript-1.6.4.orig/src/gsint.h enscript-1.6.4/src/gsint.h
--- enscript-1.6.4.orig/src/gsint.h 2003-03-04 23:37:06.000000000 -0800
+++ enscript-1.6.4/src/gsint.h 2009-02-09 16:26:59.000000000 -0800
@@ -701,4 +701,9 @@
*/
void printer_close ___P ((void *context));
+/*
+ * Escape filenames for shell usage
+ */
+char *shell_escape ___P ((const char *fn));
+
#endif /* not GSINT_H */
diff -r -u -N --exclude='*.orig' enscript-1.6.4.orig/src/main.c enscript-1.6.4/src/main.c
--- enscript-1.6.4.orig/src/main.c 2003-03-04 23:36:32.000000000 -0800
+++ enscript-1.6.4/src/main.c 2009-02-09 16:26:59.000000000 -0800
@@ -1546,9 +1546,13 @@
buffer_append (&cmd, intbuf);
buffer_append (&cmd, " ");
- buffer_append (&cmd, "-Ddocument_title=\"");
- buffer_append (&cmd, title);
- buffer_append (&cmd, "\" ");
+ buffer_append (&cmd, "-Ddocument_title=\'");
+ if ((cp = shell_escape (title)) != NULL)
+ {
+ buffer_append (&cmd, cp);
+ free (cp);
+ }
+ buffer_append (&cmd, "\' ");
buffer_append (&cmd, "-Dtoc=");
buffer_append (&cmd, toc ? "1" : "0");
@@ -1565,8 +1569,14 @@
/* Append input files. */
for (i = optind; i < argc; i++)
{
- buffer_append (&cmd, " ");
- buffer_append (&cmd, argv[i]);
+ char *cp;
+ if ((cp = shell_escape (argv[i])) != NULL)
+ {
+ buffer_append (&cmd, " \'");
+ buffer_append (&cmd, cp);
+ buffer_append (&cmd, "\'");
+ free (cp);
+ }
}
/* And do the job. */
@@ -1627,7 +1637,7 @@
buffer_ptr (opts), buffer_len (opts));
}
- buffer_append (&buffer, " \"%s\"");
+ buffer_append (&buffer, " \'%s\'");
input_filter = buffer_copy (&buffer);
input_filter_stdin = "-";
diff -r -u -N --exclude='*.orig' enscript-1.6.4.orig/src/psgen.c enscript-1.6.4/src/psgen.c
--- enscript-1.6.4.orig/src/psgen.c 2003-03-04 23:36:53.000000000 -0800
+++ enscript-1.6.4/src/psgen.c 2009-02-09 16:30:11.000000000 -0800
@@ -2034,8 +2034,9 @@
else
{
ftail++;
- strncpy (buf, fname, ftail - fname);
- buf[ftail - fname] = '\0';
+ i = ftail - fname >= sizeof (buf)-1 ? sizeof (buf)-1 : ftail - fname;
+ strncpy (buf, fname, i);
+ buf[i] = '\0';
}
if (nup > 1)
@@ -2385,9 +2386,10 @@
MESSAGE (2, (stderr, "^@epsf=\"%s\"\n", token->u.epsf.filename));
i = strlen (token->u.epsf.filename);
+ /*
if (i > 0 && token->u.epsf.filename[i - 1] == '|')
{
- /* Read EPS data from pipe. */
+ / * Read EPS data from pipe. * /
token->u.epsf.pipe = 1;
token->u.epsf.filename[i - 1] = '\0';
token->u.epsf.fp = popen (token->u.epsf.filename, "r");
@@ -2400,6 +2402,7 @@
}
}
else
+ */
{
char *filename;
diff -r -u -N --exclude='*.orig' enscript-1.6.4.orig/src/util.c enscript-1.6.4/src/util.c
--- enscript-1.6.4.orig/src/util.c 2003-03-04 23:26:32.000000000 -0800
+++ enscript-1.6.4/src/util.c 2009-02-09 16:28:12.000000000 -0800
@@ -1239,6 +1239,8 @@
/* Create result. */
cp = xmalloc (len + 1);
+ if (cp == NULL)
+ return NULL;
for (i = 0, j = 0; string[i]; i++)
switch (string[i])
{
@@ -1879,6 +1881,7 @@
char *cmd = NULL;
int cmdlen;
int i, pos;
+ char *cp;
is->is_pipe = 1;
@@ -1902,12 +1905,16 @@
{
case 's':
/* Expand cmd-buffer. */
- cmdlen += strlen (fname);
- cmd = xrealloc (cmd, cmdlen);
+ if ((cp = shell_escape (fname)) != NULL)
+ {
+ cmdlen += strlen (cp);
+ cmd = xrealloc (cmd, cmdlen);
- /* Paste filename. */
- strcpy (cmd + pos, fname);
- pos += strlen (fname);
+ /* Paste filename. */
+ strcpy (cmd + pos, cp);
+ pos += strlen (cp);
+ free (cp);
+ }
i++;
break;
@@ -1991,12 +1998,13 @@
if (is->bufpos >= is->data_in_buf)
{
/* At the EOF? */
- if (is->nreads > 0 && is->data_in_buf < sizeof (is->buf))
+ if (is->nreads > 0 && is->data_in_buf <= 0)
/* Yes. */
return EOF;
/* Read more data. */
- is->data_in_buf = fread (is->buf, 1, sizeof (is->buf), is->fp);
+ memset (is->buf, 0, sizeof (is->buf));
+ is->data_in_buf = fread (is->buf, 1, sizeof (is->buf)-1, is->fp);
is->bufpos = 0;
is->nreads++;
@@ -2116,3 +2124,36 @@
{
return buffer->len;
}
+
+/*
+ * Escapes the name of a file so that the shell groks it in 'single'
+ * quotation marks. The resulting pointer has to be free()ed when not
+ * longer used.
+*/
+char *
+shell_escape(const char *fn)
+{
+ size_t len = 0;
+ const char *inp;
+ char *retval, *outp;
+
+ for(inp = fn; *inp; ++inp)
+ switch(*inp)
+ {
+ case '\'': len += 4; break;
+ default: len += 1; break;
+ }
+
+ outp = retval = malloc(len + 1);
+ if(!outp)
+ return NULL; /* perhaps one should do better error handling here */
+ for(inp = fn; *inp; ++inp)
+ switch(*inp)
+ {
+ case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break;
+ default: *outp++ = *inp; break;
+ }
+ *outp = 0;
+
+ return retval;
+}