Your message dated Sun, 05 May 2024 18:48:09 +0000 with message-id <e1s3gu9-004xq0...@fasolo.debian.org> and subject line Bug#1068938: fixed in less 590-2.1~deb12u2 has caused the Debian Bug report #1068938, regarding less: CVE-2024-32487: with LESSOPEN mishandles \n in paths to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for less. CVE-2024-32487[0]: | less through 653 allows OS command execution via a newline character | in the name of a file, because quoting is mishandled in filename.c. | Exploitation typically requires use with attacker-controlled file | names, such as the files extracted from an untrusted archive. | Exploitation also requires the LESSOPEN environment variable, but | this is set by default in many common cases. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32487 https://www.cve.org/CVERecord?id=CVE-2024-32487 [1] https://www.openwall.com/lists/oss-security/2024/04/12/5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: less Source-Version: 590-2.1~deb12u2 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of less, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated less package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 02 May 2024 20:30:51 +0200 Source: less Architecture: source Version: 590-2.1~deb12u2 Distribution: bookworm-security Urgency: high Maintainer: Milan Kupcevic <mi...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1064293 1068938 1069681 Changes: less (590-2.1~deb12u2) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Milan Kupcevic ] * Fix incorrect display when filename contains control chars (Closes: #1069681) . less (590-2.1~deb12u1) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for bookworm-security . less (590-2.1) unstable; urgency=medium . * Non-maintainer upload. * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) (Closes: #1064293) * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) (Closes: #1068938) Checksums-Sha1: 683da794f9203c803fa4690c9fc643e05e6b20df 2228 less_590-2.1~deb12u2.dsc 6a6d4f2cbe18bce3db8dc9f4337c2b35f32c76f4 23852 less_590-2.1~deb12u2.debian.tar.xz Checksums-Sha256: 1a4219f8ec9342851805089d9ee5ec7c0150287d5722ecc914c50790673ad9a6 2228 less_590-2.1~deb12u2.dsc 4a54c48a25cabb5408af6d7bc174cad96614e540b47d2b8962b3e13819fd9b30 23852 less_590-2.1~deb12u2.debian.tar.xz Files: 7dc4c944e5b41d3004e4eaa7be2c2134 2228 text important less_590-2.1~deb12u2.dsc 2d60b4f47bdb42a8e75be462aa417d1c 23852 text important less_590-2.1~deb12u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYz3JZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWlIP/2noXgRJDkAvk7sxtArXPXg//lNiY/vu eb4KDvjfCqa3Vmnk/TRf1+tXfo3pUM6CHr0JQmZQL4LwSdp61C45KnQwRXX1HWdK RYqIoerrXp59TvXX65+oNPNh3DJlVbguOhvalg4g3+jc6K8CQAOZYVC2P4akpcbU 3/y2aEF+tdBgmq99H0uMo9KgY0pIQGaWcxYZQbf9LCOttw+iPGv+4uZxv/SKeuqg nsJBiZw5Zuy9AjlTuTHwTOIgS6xsk7L1RlJ9b0vv/UaQUN05Qo/6k3XM65j6WwC+ 3WGu3sIPo54ap26Pwjjf3dR19lGrZABh9IAdrgQlp0rm/pmI4G30+PVEy3dNInSL QqkcW8oUA239xs/XzXeKACMreTCFFx+NhKN0UeJuru1awVZXEWp0BHoFn9HDfS5p O+yPNFH4sT09JDAc2dFLzJRGOO+8TgRjJ01Ylcs2cCktNp4Tgzw1JzMHDAsJJEXg QNg6ekYvlmpsqokAamBlXQTyET7GC/ur6TYuGVX6H6Rq3YJ6v/aLiC2RRijB3AiQ vdt5tr3fRNAGKxiPfR6bEpSunYISjmgZPYRYcP+nsId8oMFsstfpJCRtGosyI/cj lOHZuBmgxyikxYbxX5LxzDlCUWR9r51k93F3z/oQesrZbMIvCkZ+8QqPe56q1mI1 0krKZsOhjiTM =Bqc3 -----END PGP SIGNATURE-----pgpN1ZVqbWLt3.pgp
Description: PGP signature
--- End Message ---