Your message dated Sun, 05 May 2024 19:18:13 +0000
with message-id <[email protected]>
and subject line Bug#1069681: fixed in less 551-2+deb11u2
has caused the Debian Bug report #1069681,
regarding less does not escape special characters when outputting the filename
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1069681: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069681
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: less
Version: 590-2.1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
"less" does not escape special characters when outputting the
filename, either in the status line or in an error message.
With untrusted filenames (like in CVE-2024-32487), weird things
can happen in the terminal, which might be used for attacks.
For instance,
$ echo foo > test$'\033'\[\?40h$'\033'\[\?3h
$ less test$'\033'\[\?40h$'\033'\[\?3h
(in shells that understand the $'...' syntax, such as bash or zsh)
resizes the xterm window from 80 columns to 132 columns.
I can't reproduce this issue with the upstream version when the
file is viewable (the status line can be a bit incorrect, though);
I suppose that there was some fix in the recent past. When the
file is not viewable, same problem due to the error message. I've
reported the bug here:
https://github.com/gwsw/less/issues/503
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'),
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.6.15-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages less depends on:
ii libc6 2.37-18
ii libtinfo6 6.4+20240414-1
less recommends no packages.
less suggests no packages.
-- no debconf information
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--- End Message ---
--- Begin Message ---
Source: less
Source-Version: 551-2+deb11u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
less, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated less package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 May 2024 20:29:26 +0200
Source: less
Architecture: source
Version: 551-2+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Milan Kupcevic <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1064293 1068938 1069681
Changes:
less (551-2+deb11u2) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
.
[ Milan Kupcevic ]
* Fix incorrect display when filename contains control chars
(Closes: #1069681)
.
less (551-2+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624)
(Closes: #1064293)
* Fix bug when viewing a file whose name contains a newline (CVE-2024-32487)
(Closes: #1068938)
Checksums-Sha1:
284666aff7d0a3e0719eb2675eb7fc8db39a5520 1968 less_551-2+deb11u2.dsc
70af3c8dfa2c3611b16691acaaead33d6ca5e885 20696 less_551-2+deb11u2.debian.tar.xz
Checksums-Sha256:
19f72b42c4f99c402d30c52bb0fc10b0084ff69f50e7482fb64091a75065fdd1 1968
less_551-2+deb11u2.dsc
d1679210766e0cd7280411d1d55138633076fb47af5fadb58e1341fedef834ec 20696
less_551-2+deb11u2.debian.tar.xz
Files:
57c11d84044eb3e10a896a02e94129f5 1968 text important less_551-2+deb11u2.dsc
20d9522502289f5ed6706604ec0e020f 20696 text important
less_551-2+deb11u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYz285fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ez1QP/je0Iu60GbbZypElGvy3S618tU94Ishy
vkawxYkAKCUEdZ4ACPbKZyJ5DLJJk0Rs+Bmi2SUqUAWRLo9fsBnxLDTFU3xFfaW2
UJOtT0CJdJb6VNIDJLjGg7Gh4d0oKL1eff/+DJziJQVfH4X6hDzJm4mcYqvDiXU4
PJFZs0GQL77gYu3GasXOI0qcHpZ2lZIBeuAJapQTkwPvBQ5v9k5xGgWXxgUgjAs6
kD947R42wYPUdJe2tZDwR3xyRaVCtY42hIIS3jV7+pkyOiLxpSAYXO+Yi17Drpq9
gt3nzjRl8exA7vXbeQFw5j4IPf/FI5/KZ8VRX3TDhVaUbSf8SyAGrFCbDTHcDPd1
KABTJcMIIXOY0uwHx03QEvBPwMaqs7QwytDYL/4iQcTndigoZzv7bL5zIUJs6BsL
VM+WayVfRqIdX3rkUaOI9hhFziOH73mIn9qeV6PTwjSGBe3SnT5+T6e4PR5A25Zi
yzfpvvm5JWP2/cATYgQP7BfkZLrMFR0AXITnc1AOZWeufA1DyNnRRijfDhDBSu1V
/juuaAo9aWZl+tZtMqNbYTPQ3ZXaVy4riRqnm3reX+Eyn26wGjUgEunElBM64ctk
kDmLyUviiBcP5wfWbBmwUTehIwbAlQCgqVim0skUfYYbz5VSDwCWXLdU1R35P9Dg
Zzzr6rpPA2RZ
=QMuU
-----END PGP SIGNATURE-----
pgpsZ2sMeY8pu.pgp
Description: PGP signature
--- End Message ---
