Your message dated Sun, 05 May 2024 18:48:05 +0000 with message-id <e1s3gu5-004xou...@fasolo.debian.org> and subject line Bug#1068938: fixed in less 590-2.1~deb12u1 has caused the Debian Bug report #1068938, regarding less: CVE-2024-32487: with LESSOPEN mishandles \n in paths to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for less. CVE-2024-32487[0]: | less through 653 allows OS command execution via a newline character | in the name of a file, because quoting is mishandled in filename.c. | Exploitation typically requires use with attacker-controlled file | names, such as the files extracted from an untrusted archive. | Exploitation also requires the LESSOPEN environment variable, but | this is set by default in many common cases. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32487 https://www.cve.org/CVERecord?id=CVE-2024-32487 [1] https://www.openwall.com/lists/oss-security/2024/04/12/5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: less Source-Version: 590-2.1~deb12u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of less, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated less package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 19 Apr 2024 20:58:00 +0200 Source: less Architecture: source Version: 590-2.1~deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Milan Kupcevic <mi...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1064293 1068938 Changes: less (590-2.1~deb12u1) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for bookworm-security . less (590-2.1) unstable; urgency=medium . * Non-maintainer upload. * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) (Closes: #1064293) * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) (Closes: #1068938) Checksums-Sha1: d2ce563d0f5b51c8437a4cd6776c0f88738e415f 2228 less_590-2.1~deb12u1.dsc 82188f425b5197c24b834ae80b95ec07be442c78 352574 less_590.orig.tar.gz ef145bfa44358173e9c405bdc3df92f3493dc805 163 less_590.orig.tar.gz.asc 6c1ef3c34ee2493a2f8349b188af22b5dcdfb252 23144 less_590-2.1~deb12u1.debian.tar.xz Checksums-Sha256: 38c3a11ac9080ba82f5ae897def68b7dca58d21505cfa738e65afb84a6d66508 2228 less_590-2.1~deb12u1.dsc 6aadf54be8bf57d0e2999a3c5d67b1de63808bb90deb8f77b028eafae3a08e10 352574 less_590.orig.tar.gz 1bd54dbadb45eeaeaf58cee2b7b4a701c634c11866082bc494752838af37c3db 163 less_590.orig.tar.gz.asc 682c04edfc35ea4d5877a1e7f6d2a6ef7264bfd5737747a3b91878b23a7bef54 23144 less_590-2.1~deb12u1.debian.tar.xz Files: e1ea4e4f6a213baa11d89e0147152a45 2228 text important less_590-2.1~deb12u1.dsc f029087448357812fba450091a1172ab 352574 text important less_590.orig.tar.gz 4b0250a232d475c4e37f569360d7c3d1 163 text important less_590.orig.tar.gz.asc c896396417c56e4f5e4de19e8cd67e62 23144 text important less_590-2.1~deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYiv5BfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiUcP/0GqrDLfjxRXezgqCMap/Brd0TiQHzX/ /JDErOWxLtfEycTYdKXfxx/ugSESYhB0dcHT1wTvDenXjbFAroq217/67oORy/Xb UgtyVz7iVN2h0qN+vUYGAsMujckONPAXeCsy2OrxA7XOO/QvmTnzG1as5v0jRLcY cUE0ddul5iQAfjmcn3wE9E63aFHfSXotOPEE9pWdHlWrdHfftW8WZmkwU51MmgMp E5d8pMV3vs9ohtgaGD5G9Ex2LhUlvybyXXFMvWhNqC+K/U+r1DEBOswDTeF3ylCY kDs0LJCI2PguX2ugtLj1m8ctufmBX4OvbcFI9bNTCQxgGzTITVeph80fCJ4/XThr DwQyHWqTdQd6AtIeB7z05Y/4DUvsEbQ18ogbw5A2+jPjBuHoUDdSrRgWclwMhDFS cWIxLKCRoHyGDHvKJ4NCAThNDDrtq2bG/B14EHb+e4WuXSRfiqXoBLOvtEIIfKPG tCF1BXElK8gzt7/pPpLppr7FtfHoTLjkj7Y+W0XBgOZeh022xNZ/DgIi5KUVBgSz w8l3BdtS5mV4Fs8EVsgjOBh+GbZ4123tybmkIjbgzu4sMH7RX/JIzLFivMDX1htk U/PEtI1BNraRqmIDNW6u856Y9GINvf3a9TYk3/l9Av2ExrUNbq2LJvRO7wS7Oiyz R1X738u/sLUv =9U7w -----END PGP SIGNATURE-----pgpxOTu5p0oyn.pgp
Description: PGP signature
--- End Message ---