Index: lib/quotearg.c --- lib/quotearg.c.orig 2000-01-19 09:19:48 +0100 +++ lib/quotearg.c 2004-08-06 13:34:41 +0200 @@ -59,6 +59,9 @@ #endif #if HAVE_MBRTOWC && HAVE_WCHAR_H +#if defined(__hpux) +# include +#endif # include #else # define iswprint(wc) 1 Index: lib/strftime.c --- lib/strftime.c.orig 2000-01-02 08:10:09 +0100 +++ lib/strftime.c 2004-08-06 13:35:34 +0200 @@ -67,6 +67,9 @@ #if DO_MULTIBYTE # if HAVE_MBRLEN +# if defined(__hpux) +# include +# endif # include # else /* Simulate mbrlen with mblen as best we can. */ Index: lib/path-concat.c --- lib/path-concat.c.orig 1999-10-10 20:34:46 +0200 +++ lib/path-concat.c 2004-08-18 19:56:40 +0200 @@ -31,8 +31,6 @@ #endif #include -char *malloc (); - #ifndef DIRECTORY_SEPARATOR # define DIRECTORY_SEPARATOR '/' #endif Index: etc/Makefile.in --- etc/Makefile.in.orig 2000-02-24 18:55:34 +0100 +++ etc/Makefile.in 2006-09-10 18:56:23 +0200 @@ -131,7 +131,7 @@ lispdir = @lispdir@ -ogonkifydir = $(datadir)/ogonkify +ogonkifydir = $(datadir)/a2ps/ogonkify libpath = $(pkgdatadir)/sheets:$(pkgdatadir)/ps:$(pkgdatadir)/encoding:$(pkgdatadir)/afm:$(ogonkifydir)/afm:$(pkgdatadir)/ppd:$(pkgdatadir)/fonts:$(ogonkifydir)/fonts:$(pkgdatadir) pkgdata_DATA = README Index: ogonkify/Makefile.in --- ogonkify/Makefile.in.orig 2000-01-07 14:00:49 +0100 +++ ogonkify/Makefile.in 2006-09-10 18:57:37 +0200 @@ -33,7 +33,7 @@ DESTDIR = -pkgdatadir = $(datadir)/@PACKAGE@ +pkgdatadir = $(datadir)/a2ps/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1170 a2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename. source: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain --- src/select.c.orig Thu Dec 16 02:04:56 1999 +++ src/select.c Sat Aug 21 12:05:31 2004 @@ -131,6 +131,36 @@ return 1; } +/* escapes the name of a file so that the shell groks it in 'single' q.marks. + The resulting pointer has to be free()ed when not longer used. */ +char * +shell_escape(const char *fn) +{ + size_t len = 0; + const char *inp; + char *retval, *outp; + + for(inp = fn; *inp; ++inp) + switch(*inp) + { + case '\'': len += 4; break; + default: len += 1; break; + } + + outp = retval = malloc(len + 1); + if(!outp) + return NULL; /* perhaps one should do better error handling here */ + for(inp = fn; *inp; ++inp) + switch(*inp) + { + case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = '\''; break; + default: *outp++ = *inp; break; + } + *outp = 0; + + return retval; +} + /* What says file about the type of a file (result is malloc'd). NULL if could not be run. */ @@ -144,11 +174,15 @@ if (IS_EMPTY (job->file_command)) return NULL; + filename = shell_escape(filename); + if(filename == NULL) + return NULL; /* Call file(1) with the correct option */ - command = ALLOCA (char, (2 + command = ALLOCA (char, (4 + strlen (job->file_command) + ustrlen (filename))); - sprintf (command, "%s %s", job->file_command, (const char *) filename); + sprintf (command, "%s '%s'", job->file_command, (const char *) filename); + free(filename); message (msg_tool, (stderr, "Reading pipe: `%s'\n", command)); file_out = popen (command, "r");