openkylin
/
patch
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Invoke ed directly instead of using the shell 

* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
command to avoid quoting vulnerabilities.

Gbp-Pq: Name 0005-CVE-2019-13638.patch
This commit is contained in:
Andreas Gruenbacher 2018-04-06 19:36:15 +02:00 committed by openKylinBot
parent a1508e0da9
commit 6e5f3d2032
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/pch.c
View File

@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
*outname_needs_removal = true;
copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
}
sprintf (buf, "%s %s%s", editor_program,
verbosity == VERBOSE ? "" : "- ",
outname);
fflush (stdout);
pid = fork();
@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
else if (pid == 0)
{
dup2 (tmpfd, 0);
execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
assert (outname[0] != '!' && outname[0] != '-');
execlp (editor_program, editor_program, "-", outname, (char *) NULL);
_exit (2);
}
else