Version in base suite: 551-2

Base version: less_551-2
Target version: less_551-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/less/less_551-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/less/less_551-2+deb11u1.dsc

 changelog                                                          |   10 +
 patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch |   67 ++++++++++
 patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch        |   43 ++++++
 patches/series                                                     |    2 
 4 files changed, 122 insertions(+)

diff -Nru less-551/debian/changelog less-551/debian/changelog
--- less-551/debian/changelog	2020-07-05 23:36:33.000000000 +0000
+++ less-551/debian/changelog	2024-04-19 19:37:35.000000000 +0000
@@ -1,3 +1,13 @@
+less (551-2+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624)
+    (Closes: #1064293)
+  * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487)
+    (Closes: #1068938)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 19 Apr 2024 21:37:35 +0200
+
 less (551-2) sid; urgency=medium
 
   * remove /bin/less pager alternative before upgrade
diff -Nru less-551/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch less-551/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch
--- less-551/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch	1970-01-01 00:00:00.000000000 +0000
+++ less-551/debian/patches/Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch	2024-04-19 19:37:35.000000000 +0000
@@ -0,0 +1,67 @@
+From: Mark Nudelman <markn@greenwoodsoftware.com>
+Date: Thu, 11 Apr 2024 17:49:48 -0700
+Subject: Fix bug when viewing a file whose name contains a newline.
+Origin: https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
+Bug-Debian: https://bugs.debian.org/1068938
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-32487
+
+---
+ filename.c | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+--- a/filename.c
++++ b/filename.c
+@@ -136,6 +136,15 @@ metachar(c)
+ }
+ 
+ /*
++ * Must use quotes rather than escape char for this metachar?
++ */
++static int must_quote(char c)
++{
++	/* {{ Maybe the set of must_quote chars should be configurable? }} */
++	return (c == '\n'); 
++}
++
++/*
+  * Insert a backslash before each metacharacter in a string.
+  */
+ 	public char *
+@@ -168,6 +177,9 @@ shell_quote(s)
+ 				 * doesn't support escape chars.  Use quotes.
+ 				 */
+ 				use_quotes = 1;
++			} else if (must_quote(*p))
++			{
++				len += 3; /* open quote + char + close quote */
+ 			} else
+ 			{
+ 				/*
+@@ -197,15 +209,22 @@ shell_quote(s)
+ 	{
+ 		while (*s != '\0')
+ 		{
+-			if (metachar(*s))
++			if (!metachar(*s))
+ 			{
+-				/*
+-				 * Add the escape char.
+-				 */
++				*p++ = *s++;
++			} else if (must_quote(*s))
++			{
++				/* Surround the char with quotes. */
++				*p++ = openquote;
++				*p++ = *s++;
++				*p++ = closequote;
++			} else
++			{
++				/* Insert an escape char before the char. */
+ 				strcpy(p, esc);
+ 				p += esclen;
++				*p++ = *s++;
+ 			}
+-			*p++ = *s++;
+ 		}
+ 		*p = '\0';
+ 	}
diff -Nru less-551/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch less-551/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch
--- less-551/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch	1970-01-01 00:00:00.000000000 +0000
+++ less-551/debian/patches/Shell-quote-filenames-when-invoking-LESSCLOSE.patch	2024-04-19 19:37:35.000000000 +0000
@@ -0,0 +1,43 @@
+From: Mark Nudelman <markn@greenwoodsoftware.com>
+Date: Sat, 25 Jun 2022 11:54:43 -0700
+Subject: Shell-quote filenames when invoking LESSCLOSE.
+Origin: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144
+Bug-Debian: https://bugs.debian.org/1064293
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48624
+
+---
+ filename.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/filename.c b/filename.c
+index 5824e385dce4..dff20c08d81c 100644
+--- a/filename.c
++++ b/filename.c
+@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
+ {
+ #if HAVE_POPEN
+ 	char *lessclose;
++	char *qfilename;
++	char *qaltfilename;
+ 	FILE *fd;
+ 	char *cmd;
+ 	int len;
+@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
+ 		error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG);
+ 		return;
+ 	}
+-	len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
++	qfilename = shell_quote(filename);
++	qaltfilename = shell_quote(altfilename);
++	len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
+ 	cmd = (char *) ecalloc(len, sizeof(char));
+-	SNPRINTF2(cmd, len, lessclose, filename, altfilename);
++	SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
++	free(qaltfilename);
++	free(qfilename);
+ 	fd = shellcmd(cmd);
+ 	free(cmd);
+ 	if (fd != NULL)
+-- 
+2.43.0
+
diff -Nru less-551/debian/patches/series less-551/debian/patches/series
--- less-551/debian/patches/series	2019-09-10 19:38:16.000000000 +0000
+++ less-551/debian/patches/series	2024-04-19 19:37:35.000000000 +0000
@@ -1,2 +1,4 @@
 less-is-more-434417.patch
 02-655926-more_can_go_backwards.patch
+Shell-quote-filenames-when-invoking-LESSCLOSE.patch
+Fix-bug-when-viewing-a-file-whose-name-contains-a-ne.patch