From 07bec5ca9ae6efd2f3451df91a8d0276c6751f99 Mon Sep 17 00:00:00 2001
From: Yang_X_Y <yangxinyu@nfschina.com>
Date: Thu, 22 Aug 2024 15:43:11 +0800
Subject: [PATCH] fix cve-2024-32487

---
 fix-cve-2024-32487.patch | 86 ++++++++++++++++++++++++++++++++++++++++
 less.spec                | 10 ++++-
 2 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100644 fix-cve-2024-32487.patch

diff --git a/fix-cve-2024-32487.patch b/fix-cve-2024-32487.patch
new file mode 100644
index 0000000..1453b61
--- /dev/null
+++ b/fix-cve-2024-32487.patch
@@ -0,0 +1,86 @@
+From f31bd16bd797df95775e13411a80e13d62b3de4b Mon Sep 17 00:00:00 2001
+From: Yang_X_Y <yangxinyu@nfschina.com>
+Date: Thu, 22 Aug 2024 15:40:45 +0800
+Subject: [PATCH] fix-cve-2024-32487
+
+---
+ filename.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/filename.c b/filename.c
+index 983a02b..44c5e3d 100644
+--- a/filename.c
++++ b/filename.c
+@@ -13,6 +13,7 @@
+  * Much of this is very OS dependent.
+  */
+ 
++#include <stdbool.h>
+ #include "less.h"
+ #include "lglob.h"
+ #if MSDOS_COMPILER
+@@ -128,13 +129,22 @@ metachars()
+ /*
+  * Is this a shell metacharacter?
+  */
+-	static int
++	static bool
+ metachar(c)
+ 	char c;
+ {
+ 	return (strchr(metachars(), c) != NULL);
+ }
+ 
++/*
++ * Must use quotes rather than escape char for this metachar?
++ */
++static bool must_quote(char c)
++{
++	/* {{ Maybe the set of must_quote chars should be configurable? }} */
++	return (c == '\n'); 
++}
++
+ /*
+  * Insert a backslash before each metacharacter in a string.
+  */
+@@ -168,6 +178,9 @@ shell_quote(s)
+ 				 * doesn't support escape chars.  Use quotes.
+ 				 */
+ 				use_quotes = 1;
++			} else if (must_quote(*p))
++			{
++				len += 3; /* open quote + char + close quote */
+ 			} else
+ 			{
+ 				/*
+@@ -197,15 +210,22 @@ shell_quote(s)
+ 	{
+ 		while (*s != '\0')
+ 		{
+-			if (metachar(*s))
++			if (!metachar(*s))
+ 			{
+-				/*
+-				 * Add the escape char.
+-				 */
++				*p++ = *s++;
++			} else if (must_quote(*s))
++			{
++				/* Surround the char with quotes. */
++				*p++ = openquote;
++				*p++ = *s++;
++				*p++ = closequote;
++			} else
++			{
++				/* Insert an escape char before the char. */
+ 				strcpy(p, esc);
+ 				p += esclen;
++				*p++ = *s++;
+ 			}
+-			*p++ = *s++;
+ 		}
+ 		*p = '\0';
+ 	}
+-- 
+2.33.0
+
diff --git a/less.spec b/less.spec
index ac6645e..aea7caa 100644
--- a/less.spec
+++ b/less.spec
@@ -1,4 +1,4 @@
-%define anolis_release .0.2
+%define anolis_release .0.3
 Summary: A text file browser similar to more, but better
 Name: less
 Version: 530
@@ -19,6 +19,9 @@ Patch10: less-458-lesskey-usage.patch
 Patch11: less-458-old-bot-in-help.patch
 Patch12: less-530-CVE-2022-48624.patch
 
+#https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33
+Patch13: fix-cve-2024-32487.patch
+
 URL: http://www.greenwoodsoftware.com/less/
 BuildRequires: ncurses-devel
 BuildRequires: autoconf automake libtool
@@ -51,7 +54,7 @@ Doc pages for %{name}.
 %patch9 -p1 -b .less-filters-man
 %patch10 -p1 -b .lesskey-usage
 %patch11 -p1 -b .old-bot
-
+%patch13 -p1 
 
 %build
 rm -f ./configure
@@ -76,6 +79,9 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d
 %doc README NEWS INSTALL
 
 %changelog
+* Mon Aug 19 2024 yangxinyu <yangxinyu@nfschina.com> - 530-1.0.3
+- Fix: CVE-2024-32487
+
 * Tue Apr 9 2024 Kai Song <songkai01@inspur.com> - 530-1.0.2
 - Fix: CVE-2022-48624
 
-- 
Gitee