Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

less out of bounds read access - TFPA 002/2014

From: Hanno Böck <hanno () hboeck de>
Date: Sun, 30 Nov 2014 13:14:12 +0100
less out of bounds read access - TFPA 002/2014
https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html

An out of bounds read access in the UTF-8 decoding can be triggered
with a malformed file in the tool less. The access happens in the
function is_utf8_well_formed (charset.c, line 534) due to a truncated
multibyte character in the sample file. It affects the latest upstream
less version 470. The bug does not crash less, it can only be made
visible by running less with valgrind or compiling it with Address
Sanitizer. The security impact is likely minor as it is only an invalid
read access.

This issue has been found with the help of Address Sanitizer.

The upstream developers have been informed about this issue on 4th
November 2014, no fix is available yet. The less webpage has no bug
tracker, no open mailing list and no other way to publicly report and
document bugs.

Conclusion

Even tools that only do very minor file parsing can expose bugs due to
charset encoding, especially in multibyte characters. Please note that
the bigger security threat in less comes from the use of lesspipe.

It is unsettling that the upstream project of an important tool like
less is completely unresponsive to bugs and has no public way to
discuss them.

less out of bounds read sample with gif header
https://crashes.fuzzing-project.org/TFPA-2014-002-less-oob

simpler sample with no header, only works when LESSOPEN is not set
https://crashes.fuzzing-project.org/TFPA-2014-002-less-oob-no-lesspipe

OSVDB 115007 : less GIF File Handling Out-of-bounds Read Issue
http://osvdb.org/show/osvdb/115007

Discussion of lesspipe security issues on oss-security
http://seclists.org/oss-sec/2014/q4/769

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: