| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41239B36.1010400@gmx.net>
From: sakpolat at gmx.net (Serkan Akpolat)
Subject: gnu-less Format String Vulnerability
Tim wrote:
>>+-----[ Description ]-----+
>>
>>Format string vulnerability.
>>
>>
>>+-----[ Vulnerable Code ]-----+
>>From less-382:
>>
>>[filename.c] : 787
>>
>> public char *
>>open_altfile(filename, pf, pfd)
>> char *filename;
>> int *pf;
>> void **pfd;
>>{
>> ...................
>> if ((lessopen = lgetenv("LESSOPEN")) == NULL
>> ...................
>> sprintf(cmd, lessopen, filename); <-- Format String Problem Here
>> ...................
>>
>>}
>
>
>
> I am sorry, I fail to see how this is a vulnerability.
>
> If you have control of LESSOPEN, you already have shell, since, from the
> man page:
>
> "An input preprocessor is simply an executable program (or shell
> script), which writes the contents of the file to a different file,
> called the replacement file.
> ...
> To set up an input preprocessor, set the LESSOPEN environment
> variable to a command line which will invoke your input preprocessor."
>
>
> Perhaps it would be better written if the LESSOPEN parser only allowed
> %s to work, as advertized, and not the other sprintf codes, but it
> really isn't a security issue (unless I am totally missing something).
> If you are really worried about it, add the -L option when running less,
> and it will ignore LESSOPEN.
>
> cheers,
> tim
>
Yes , thank you for correction.
It is a bug not a vulnerability.
Powered by blists - more mailing lists