Package: less Version: 590-2.1 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
"less" does not escape special characters when outputting the filename, either in the status line or in an error message. With untrusted filenames (like in CVE-2024-32487), weird things can happen in the terminal, which might be used for attacks. For instance, $ echo foo > test$'\033'\[\?40h$'\033'\[\?3h $ less test$'\033'\[\?40h$'\033'\[\?3h (in shells that understand the $'...' syntax, such as bash or zsh) resizes the xterm window from 80 columns to 132 columns. I can't reproduce this issue with the upstream version when the file is viewable (the status line can be a bit incorrect, though); I suppose that there was some fix in the recent past. When the file is not viewable, same problem due to the error message. I've reported the bug here: https://github.com/gwsw/less/issues/503 -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.6.15-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages less depends on: ii libc6 2.37-18 ii libtinfo6 6.4+20240414-1 less recommends no packages. less suggests no packages. -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)