wall: fix escape sequence Injection [CVE-2024-28085]

Let's use for all cases the same output function. Reported-by: Skyler Ferrante <sjf5462@rit.edu> Signed-off-by: Karel Zak <kzak@redhat.com>
util-linux · Mar 27, 2024 · 404b078 · 404b078
1 parent 2ff49aa
commit 404b078
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/term-utils/wall.c b/term-utils/wall.c
@@ -368,7 +368,7 @@ static char *makemsg(char *fname, char **mvec, int mvecsz,
 		int i;
 
 		for (i = 0; i < mvecsz; i++) {
-			fputs(mvec[i], fs);
+			fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
 			if (i < mvecsz - 1)
 				fputc(' ', fs);
 		}