Bug#1068938: marked as done (less: CVE-2024-32487: with LESSOPEN mishandles \n in paths)
Your message dated Sun, 05 May 2024 19:18:13 + with message-id and subject line Bug#1068938: fixed in less 551-2+deb11u2 has caused the Debian Bug report #1068938, regarding less: CVE-2024-32487: with LESSOPEN mishandles \n in paths to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for less. CVE-2024-32487[0]: | less through 653 allows OS command execution via a newline character | in the name of a file, because quoting is mishandled in filename.c. | Exploitation typically requires use with attacker-controlled file | names, such as the files extracted from an untrusted archive. | Exploitation also requires the LESSOPEN environment variable, but | this is set by default in many common cases. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32487 https://www.cve.org/CVERecord?id=CVE-2024-32487 [1] https://www.openwall.com/lists/oss-security/2024/04/12/5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: less Source-Version: 551-2+deb11u2 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of less, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated less package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 May 2024 20:29:26 +0200 Source: less Architecture: source Version: 551-2+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Milan Kupcevic Changed-By: Salvatore Bonaccorso Closes: 1064293 1068938 1069681 Changes: less (551-2+deb11u2) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Milan Kupcevic ] * Fix incorrect display when filename contains control chars (Closes: #1069681) . less (551-2+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) (Closes: #1064293) * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) (Closes: #1068938) Checksums-Sha1: 284666aff7d0a3e0719eb2675eb7fc8db39a5520 1968 less_551-2+deb11u2.dsc 70af3c8dfa2c3611b16691acaaead33d6ca5e885 20696 less_551-2+deb11u2.debian.tar.xz Checksums-Sha256: 19f72b42c4f99c402d30c52bb0fc10b0084ff69f50e7482fb64091a75065fdd1 1968 less_551-2+deb11u2.dsc d1679210766e0cd7280411d1d55138633076fb47af5fadb58e1341fedef834ec 20696 less_551-2+deb11u2.debian.tar.xz Files: 57c11d84044eb3e10a896a02e94129f5 1968 text important less_551-2+deb11u2.dsc 20d9522502289f5ed6706604ec0e020f 20696 text important less_551-2+deb11u2.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYz285fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ez1QP/je0Iu60GbbZypElGvy3S618tU94Ishy vkawxYkAKCUEdZ4ACPbKZyJ5DLJJk0Rs+Bmi2SUqUAWRLo9fsBnxLDTFU3xFfaW2 UJOtT0CJdJb6VNIDJLjGg7Gh4d0oKL1eff/+DJziJQVfH4X6hDzJm4mcYqvDiXU4 PJFZs0GQL77gYu3GasXOI0qcHpZ2lZIBeuAJapQTkwPvBQ5v9k5xGgWXxgUgjAs6 kD947R42wYPUdJe2tZDwR3xyRaVCtY42hIIS3jV7+pkyOiLxpSAYXO+Yi17Drpq9 gt3nzjRl8exA7vXbeQFw5j4IPf/FI5/KZ8VRX3TDhVaUbSf8SyAGrFCbDTHcDPd1 KABTJcMIIXOY0uwHx03QEvBPwMaqs7QwytDYL/4iQcTndigoZzv7bL5zIUJs6BsL VM+WayVfRqIdX3rkUaOI9hhFziOH73mIn9qeV6PTwjSGBe3SnT5+T6e4PR5A25Zi yzfpvvm5JWP2/cATYgQP7BfkZLrMFR0AXITnc1AOZWeufA1DyNnRRijfDhDBSu1V /juuaAo9aWZl+tZtMqNbYTPQ3ZXaVy4riRqnm3reX+Eyn26wGjUgEunElBM64ctk
Bug#1068938: marked as done (less: CVE-2024-32487: with LESSOPEN mishandles \n in paths)
Your message dated Sun, 05 May 2024 19:18:09 + with message-id and subject line Bug#1068938: fixed in less 551-2+deb11u1 has caused the Debian Bug report #1068938, regarding less: CVE-2024-32487: with LESSOPEN mishandles \n in paths to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for less. CVE-2024-32487[0]: | less through 653 allows OS command execution via a newline character | in the name of a file, because quoting is mishandled in filename.c. | Exploitation typically requires use with attacker-controlled file | names, such as the files extracted from an untrusted archive. | Exploitation also requires the LESSOPEN environment variable, but | this is set by default in many common cases. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32487 https://www.cve.org/CVERecord?id=CVE-2024-32487 [1] https://www.openwall.com/lists/oss-security/2024/04/12/5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: less Source-Version: 551-2+deb11u1 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of less, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated less package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Apr 2024 21:37:35 +0200 Source: less Architecture: source Version: 551-2+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Milan Kupcevic Changed-By: Salvatore Bonaccorso Closes: 1064293 1068938 Changes: less (551-2+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) (Closes: #1064293) * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) (Closes: #1068938) Checksums-Sha1: 04e598880c888e5706eb9dea18268fbaaabc6ca5 1968 less_551-2+deb11u1.dsc 7a2dbccd46697ba17189b1e19f75eee5115c19a2 347007 less_551.orig.tar.gz 6ed143fe69989f24a9585805fe744f083695f989 19904 less_551-2+deb11u1.debian.tar.xz Checksums-Sha256: 6a718a7318c6cecab36041ad1c4530ae69f587b0a81a9fe32cc2c3f2d7e15508 1968 less_551-2+deb11u1.dsc ff165275859381a63f19135a8f1f6c5a194d53ec3187f94121ecd8ef0795fe3d 347007 less_551.orig.tar.gz 3566c26aae5116cffa32367684f4ab3dd12d1ed0a61d8b6cc6cf3f5f8812eae9 19904 less_551-2+deb11u1.debian.tar.xz Files: 79a23b31100af8999f52630778a72878 1968 text important less_551-2+deb11u1.dsc 4ad4408b06d7a6626a055cb453f36819 347007 text important less_551.orig.tar.gz ca4fb7b6ad73983f7318c1fd11d77c2f 19904 text important less_551-2+deb11u1.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYiyTBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ew1kP/jkiPYkaOXyrkKr5vNAIdCQ48vVEduZO wL3bBOOQm0bqB4fpdC1NG4VsWlY15rFzuwBG56ZDzQPmV6BQb5lbwjMApxR3LJ10 zixjczhyoaJxqmXKBFcQw+/fJLTSdFSghvCRFFMuBU5pSJu56uHjlgpN0txSJ+1U ikD09oFhqAdrGxkLWW/nb2o3qRKbf8/KMOH9nKmLKPzp4GNAy0t3u3MIUA+uTxhT XouJxctxBugt0hju8ZTUjkoE0GaXdvXJvI/lLbuO15QnsuvXkrTEcEZYg/dzk5gp C9dr44d9GjdHAxy6QJpY+7UhEO8y1kgLy7IzH/9nJ01j6x0PDqO0GESocyCX/pER ITKrkpFSxhI/U/pbsYGDfvZgj4fBhWjxCPVfbzF7za9PGwFl3EWuMhztiwltJhki JYpgiTJRUN4qf9r5EcmWtUxJaHNebjmFv53ADtev0QZiyNYxEH5A+cBEsOuTRcKc onS1dLQ430m4G7vLARi95BVYKAbGBDrjWiEMSuoFdqZCTtXtXbR1IdqDUcA3mGlm 3nW+H2Nel5cKUPRquZIAxO9TBpzHVmCrpjbTMzYF8j/3UxSyf5pmqatlKDMOkZTb
Bug#1068938: marked as done (less: CVE-2024-32487: with LESSOPEN mishandles \n in paths)
Your message dated Sun, 05 May 2024 18:48:09 + with message-id and subject line Bug#1068938: fixed in less 590-2.1~deb12u2 has caused the Debian Bug report #1068938, regarding less: CVE-2024-32487: with LESSOPEN mishandles \n in paths to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for less. CVE-2024-32487[0]: | less through 653 allows OS command execution via a newline character | in the name of a file, because quoting is mishandled in filename.c. | Exploitation typically requires use with attacker-controlled file | names, such as the files extracted from an untrusted archive. | Exploitation also requires the LESSOPEN environment variable, but | this is set by default in many common cases. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32487 https://www.cve.org/CVERecord?id=CVE-2024-32487 [1] https://www.openwall.com/lists/oss-security/2024/04/12/5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: less Source-Version: 590-2.1~deb12u2 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of less, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated less package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 02 May 2024 20:30:51 +0200 Source: less Architecture: source Version: 590-2.1~deb12u2 Distribution: bookworm-security Urgency: high Maintainer: Milan Kupcevic Changed-By: Salvatore Bonaccorso Closes: 1064293 1068938 1069681 Changes: less (590-2.1~deb12u2) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. . [ Milan Kupcevic ] * Fix incorrect display when filename contains control chars (Closes: #1069681) . less (590-2.1~deb12u1) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for bookworm-security . less (590-2.1) unstable; urgency=medium . * Non-maintainer upload. * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) (Closes: #1064293) * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) (Closes: #1068938) Checksums-Sha1: 683da794f9203c803fa4690c9fc643e05e6b20df 2228 less_590-2.1~deb12u2.dsc 6a6d4f2cbe18bce3db8dc9f4337c2b35f32c76f4 23852 less_590-2.1~deb12u2.debian.tar.xz Checksums-Sha256: 1a4219f8ec9342851805089d9ee5ec7c0150287d5722ecc914c50790673ad9a6 2228 less_590-2.1~deb12u2.dsc 4a54c48a25cabb5408af6d7bc174cad96614e540b47d2b8962b3e13819fd9b30 23852 less_590-2.1~deb12u2.debian.tar.xz Files: 7dc4c944e5b41d3004e4eaa7be2c2134 2228 text important less_590-2.1~deb12u2.dsc 2d60b4f47bdb42a8e75be462aa417d1c 23852 text important less_590-2.1~deb12u2.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYz3JZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWlIP/2noXgRJDkAvk7sxtArXPXg//lNiY/vu eb4KDvjfCqa3Vmnk/TRf1+tXfo3pUM6CHr0JQmZQL4LwSdp61C45KnQwRXX1HWdK RYqIoerrXp59TvXX65+oNPNh3DJlVbguOhvalg4g3+jc6K8CQAOZYVC2P4akpcbU 3/y2aEF+tdBgmq99H0uMo9KgY0pIQGaWcxYZQbf9LCOttw+iPGv+4uZxv/SKeuqg nsJBiZw5Zuy9AjlTuTHwTOIgS6xsk7L1RlJ9b0vv/UaQUN05Qo/6k3XM65j6WwC+ 3WGu3sIPo54ap26Pwjjf3dR19lGrZABh9IAdrgQlp0rm/pmI4G30+PVEy3dNInSL QqkcW8oUA239xs/XzXeKACMreTCFFx+NhKN0UeJuru1awVZXEWp0BHoFn9HDfS5p O+yPNFH4sT09JDAc2dFLzJRGOO+8TgRjJ01Ylcs2cCktNp4Tgzw1JzMHDAsJJEXg
Bug#1068938: marked as done (less: CVE-2024-32487: with LESSOPEN mishandles \n in paths)
Your message dated Sun, 05 May 2024 18:48:05 + with message-id and subject line Bug#1068938: fixed in less 590-2.1~deb12u1 has caused the Debian Bug report #1068938, regarding less: CVE-2024-32487: with LESSOPEN mishandles \n in paths to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for less. CVE-2024-32487[0]: | less through 653 allows OS command execution via a newline character | in the name of a file, because quoting is mishandled in filename.c. | Exploitation typically requires use with attacker-controlled file | names, such as the files extracted from an untrusted archive. | Exploitation also requires the LESSOPEN environment variable, but | this is set by default in many common cases. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32487 https://www.cve.org/CVERecord?id=CVE-2024-32487 [1] https://www.openwall.com/lists/oss-security/2024/04/12/5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: less Source-Version: 590-2.1~deb12u1 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of less, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated less package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Apr 2024 20:58:00 +0200 Source: less Architecture: source Version: 590-2.1~deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Milan Kupcevic Changed-By: Salvatore Bonaccorso Closes: 1064293 1068938 Changes: less (590-2.1~deb12u1) bookworm-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for bookworm-security . less (590-2.1) unstable; urgency=medium . * Non-maintainer upload. * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) (Closes: #1064293) * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) (Closes: #1068938) Checksums-Sha1: d2ce563d0f5b51c8437a4cd6776c0f88738e415f 2228 less_590-2.1~deb12u1.dsc 82188f425b5197c24b834ae80b95ec07be442c78 352574 less_590.orig.tar.gz ef145bfa44358173e9c405bdc3df92f3493dc805 163 less_590.orig.tar.gz.asc 6c1ef3c34ee2493a2f8349b188af22b5dcdfb252 23144 less_590-2.1~deb12u1.debian.tar.xz Checksums-Sha256: 38c3a11ac9080ba82f5ae897def68b7dca58d21505cfa738e65afb84a6d66508 2228 less_590-2.1~deb12u1.dsc 6aadf54be8bf57d0e2999a3c5d67b1de63808bb90deb8f77b028eafae3a08e10 352574 less_590.orig.tar.gz 1bd54dbadb45eeaeaf58cee2b7b4a701c634c11866082bc494752838af37c3db 163 less_590.orig.tar.gz.asc 682c04edfc35ea4d5877a1e7f6d2a6ef7264bfd5737747a3b91878b23a7bef54 23144 less_590-2.1~deb12u1.debian.tar.xz Files: e1ea4e4f6a213baa11d89e0147152a45 2228 text important less_590-2.1~deb12u1.dsc f029087448357812fba450091a1172ab 352574 text important less_590.orig.tar.gz 4b0250a232d475c4e37f569360d7c3d1 163 text important less_590.orig.tar.gz.asc c896396417c56e4f5e4de19e8cd67e62 23144 text important less_590-2.1~deb12u1.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYiv5BfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EiUcP/0GqrDLfjxRXezgqCMap/Brd0TiQHzX/ /JDErOWxLtfEycTYdKXfxx/ugSESYhB0dcHT1wTvDenXjbFAroq217/67oORy/Xb UgtyVz7iVN2h0qN+vUYGAsMujckONPAXeCsy2OrxA7XOO/QvmTnzG1as5v0jRLcY cUE0ddul5iQAfjmcn3wE9E63aFHfSXotOPEE9pWdHlWrdHfftW8WZmkwU51MmgMp
Bug#1068938: marked as done (less: CVE-2024-32487: with LESSOPEN mishandles \n in paths)
Your message dated Sun, 21 Apr 2024 15:49:35 + with message-id and subject line Bug#1068938: fixed in less 590-2.1 has caused the Debian Bug report #1068938, regarding less: CVE-2024-32487: with LESSOPEN mishandles \n in paths to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1068938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: less Version: 590-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for less. CVE-2024-32487[0]: | less through 653 allows OS command execution via a newline character | in the name of a file, because quoting is mishandled in filename.c. | Exploitation typically requires use with attacker-controlled file | names, such as the files extracted from an untrusted archive. | Exploitation also requires the LESSOPEN environment variable, but | this is set by default in many common cases. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32487 https://www.cve.org/CVERecord?id=CVE-2024-32487 [1] https://www.openwall.com/lists/oss-security/2024/04/12/5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: less Source-Version: 590-2.1 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of less, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1068...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated less package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 19 Apr 2024 15:09:49 +0200 Source: less Architecture: source Version: 590-2.1 Distribution: unstable Urgency: medium Maintainer: Milan Kupcevic Changed-By: Salvatore Bonaccorso Closes: 1064293 1068938 Changes: less (590-2.1) unstable; urgency=medium . * Non-maintainer upload. * Shell-quote filenames when invoking LESSCLOSE (CVE-2022-48624) (Closes: #1064293) * Fix bug when viewing a file whose name contains a newline (CVE-2024-32487) (Closes: #1068938) Checksums-Sha1: adea696b73ad5c355d91a6aa8a2e5042f8f91af6 1967 less_590-2.1.dsc 1ebafcce1da00f6a25fd35fe0c6c71a244727748 23072 less_590-2.1.debian.tar.xz Checksums-Sha256: 6f44ded535db6b44364f2b4e8c14ec2ee45bb42aa06e97fd5db721931b63826f 1967 less_590-2.1.dsc b742b498e1f5611ba9e67d0722e13c9fec1b963fe4425fa3864301aa3db09ac4 23072 less_590-2.1.debian.tar.xz Files: e942c2c432580ab1b7a130e0985d8d43 1967 text important less_590-2.1.dsc f8c14ba0fb8f626ed23d0328991749e8 23072 text important less_590-2.1.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYieEFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0s4P/1YpmB3EFprl6ap/4u7flSxmNs6p4/oG hr06cRgZqPYz08iq8Ek7HGn3ZWqzJpFyqgzycQJo8w3yli5IRdcG4HFHXvHz32fH b7sND8XZ9JBI76z+NvzBgPBNu/RPCHGLeWAqHfgFovK8op3s6PlmQzC5sgQFt3Dh 6Rt+psNbsBNlTdZWDBd9AF8D0FXTGMZc1OB8Kfwobx3y7C0sXVpqgTST5pgmfQYj HmVljQ1TBoRs5lQR5tGJY6Tje6swvf2HtGpVTTK/QHi5hofm3v47BTb36txnbUbY NDYpQwShArieaSGT5f8rg97dvF2Z4eW4Xdz9jG7X0P+fbqmwNx2ozHhacrmwAGlU j8Bi6UWauhTNFy9UbRWGiF4AF3XQUWWx/afd5jHUYN7y2jROkOCKZ4kLnOZDaln1 N6Fbx4C05hvYFP3GbtPTlwkPUE68yLh7IAmwm6KrMx/IHppcRq+r1kyWa+Qm4zXF 3lil/BFSQYjXfVVLvaKT8C0P7PoVkxQfIkE2wJ8gDtK7rJ4Z20I1CYxirAv5Gl6J Po6SA0eeTODv4BHoNHjwXN/8qTjF5u/M28RwoO+sYCnjYukSeI5tbd+r7FssEaI1 k9eiZ4zjwIf4vmlYOyrWNOPU7+6a5vLXoZbxtJxzRsQpZ+/IIomq7u0Xddr54NEM 190L5/TLVvaY =SqSG -END PGP SIGNATURE- pgpaW3xpfwmAz.pgp Description: PGP signature --- End Message ---
