1From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001 2From: Andreas Gruenbacher <agruen@gnu.org> 3Date: Fri, 6 Apr 2018 19:36:15 +0200 4Subject: [PATCH] Invoke ed directly instead of using the shell 5 6* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell 7command to avoid quoting vulnerabilities. 8 9CVE: CVE-2019-13638 CVE-2018-20969 10Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0] 11Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> 12 13--- 14 src/pch.c | 6 ++---- 15 1 file changed, 2 insertions(+), 4 deletions(-) 16 17 18diff --git a/src/pch.c b/src/pch.c 19index 4fd5a05..16e001a 100644 20--- a/src/pch.c 21+++ b/src/pch.c 22@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname, 23 *outname_needs_removal = true; 24 copy_file (inname, outname, 0, exclusive, instat.st_mode, true); 25 } 26- sprintf (buf, "%s %s%s", editor_program, 27- verbosity == VERBOSE ? "" : "- ", 28- outname); 29 fflush (stdout); 30 31 pid = fork(); 32@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname, 33 else if (pid == 0) 34 { 35 dup2 (tmpfd, 0); 36- execl ("/bin/sh", "sh", "-c", buf, (char *) 0); 37+ assert (outname[0] != '!' && outname[0] != '-'); 38+ execlp (editor_program, editor_program, "-", outname, (char *) NULL); 39 _exit (2); 40 } 41 else 42-- 432.7.4 44 45