oss-sec mailing list archives
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)
From: Hanno Böck <hanno () hboeck de>
Date: Sun, 23 Nov 2014 10:52:19 +0100
On Sun, 23 Nov 2014 01:24:11 -0800 Michal Zalewski <lcamtuf () coredump cx> wrote:
WDYT?
lesspipe is a tough one. First of all let me remind that I recently found an out of bounds access in less's unicode decoding itself. Upstream is not responsing atm. It's only a read error, but it was not even fuzzing, it was an accidental finding, I'd expect that further analysis might yield to more. Now lesspipe: I didn't know that this thing exists until very recently but I was aware that less did some kind of parsing and e.g. I quite liked the idea that you can "less" gz/bzip2 files. Actually leaving security asside I quite like the idea of lesspipe, so I'm reluctant to say "lesspipe scripts have gotta die / be disabled". That said the alternative is a tough one. It would be something like this: * Fuzz all the things in lesspipe * Report what you find * Kill the tools that have unsatisfying upstream reactions and replace them with more secure ones. And even after doing this this probably wouldn't count as a high security solution. I'm aware this feels like a huge effort, but actually it fits very well in the project I'm about to start anyway. And lesspipe gives a good starting point to what tools might deserve some more fuzzing. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michal Zalewski (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Bernhard Hermann (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Lionel Debroux (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michael Samuel (Nov 23)
- CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we do something about lesspipe? (+ a cpio bug to back up the argument)] Murray McAllister (Nov 24)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)