This is a comment taken from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527
Additional Comment #15 From Josh Bressers (Security Response Team) on 2005-01-25 09:27 -------
I've done some investigating on this issue. This problem is caused by a patch we apply to the RHEL3 less. It does not affect the original version, or any upstream versions I've tried.
Joey Hess wrote:
Package: less Version: 382-2 Severity: grave Tags: security patch
less is vulnerable to a head-based buffer overflow that can be triggered by viewing certian binary files. This is theoretically exploitable by providing a user with such a file and waiting for him to run less on it.
The problem was discovered by redhat and involves the expand_linebuf function neglecting to expand the size of the charset buffer when it expands the other buffers. Details in their BTS, including a test case and a patch: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527
I tried to exploit it on Debian but failed to see the crash, however this could be due to setup differences from red hat. The code seems to be the same.
Please use CAN-2005-0086 when referring to this security hole.
-- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.27 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages less depends on: ii debianutils 2.11.2 Miscellaneous utilities specific t ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libncurses5 5.4-4 Shared libraries for terminal hand
-- no debconf information
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
