lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 30 Nov 2014 13:14:12 +0100
From: Hanno Böck <hanno@...eck.de>
To: fulldisclosure@...lists.org
Subject: [FD] less out of bounds read access - TFPA 002/2014

less out of bounds read access - TFPA 002/2014
https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html

An out of bounds read access in the UTF-8 decoding can be triggered
with a malformed file in the tool less. The access happens in the
function is_utf8_well_formed (charset.c, line 534) due to a truncated
multibyte character in the sample file. It affects the latest upstream
less version 470. The bug does not crash less, it can only be made
visible by running less with valgrind or compiling it with Address
Sanitizer. The security impact is likely minor as it is only an invalid
read access.

This issue has been found with the help of Address Sanitizer.

The upstream developers have been informed about this issue on 4th
November 2014, no fix is available yet. The less webpage has no bug
tracker, no open mailing list and no other way to publicly report and
document bugs.

Conclusion

Even tools that only do very minor file parsing can expose bugs due to
charset encoding, especially in multibyte characters. Please note that
the bigger security threat in less comes from the use of lesspipe.

It is unsettling that the upstream project of an important tool like
less is completely unresponsive to bugs and has no public way to
discuss them.

less out of bounds read sample with gif header
https://crashes.fuzzing-project.org/TFPA-2014-002-less-oob

simpler sample with no header, only works when LESSOPEN is not set
https://crashes.fuzzing-project.org/TFPA-2014-002-less-oob-no-lesspipe

OSVDB 115007 : less GIF File Handling Out-of-bounds Read Issue
http://osvdb.org/show/osvdb/115007

Discussion of lesspipe security issues on oss-security
http://seclists.org/oss-sec/2014/q4/769

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists