Full Disclosure mailing list archives
Re: [+] Vulnerability in less version 394 and prior
From: Jonathan Smith <smithj () freethemallocs com>
Date: Tue, 30 Oct 2007 21:04:27 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 glopeda.com wrote:
From: glopeda () glopeda com Application: less 394 and prior Type: Format strings vulnerability Priority: Low There exists a format strings bug in the less application present in most flavors of UNIX. It could be leveraged for privilege escalation if the calling application is setuid/setgid and does not properly drop privileges. Meager demonstration: $ export LESSOPEN=%s%n $ less somefile Segmentation fault $ See http://www.glopeda.com for more details.
Still some strangeness on the latest version: smithj@localhost ~ $ export LESSOPEN=%s%n smithj@localhost ~ $ less route.txt *** %n in writable segment detected *** Aborted smithj@localhost ~ $ conary query less less=409-1-0.1[is: x86] Given the details in the original post, I don't think this is a security issue. If a program doesn't properly shed s{u,g}id bits, that program should be fixed. This is still a bug, though, so I'm CCing the maintainer on this email. smithj -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHKAzbCG91qXPaRekRApAzAJ4mcIN5+vp9IjPWEQKRAP6q4dSl4QCfbkBh 7OPWx46AeHZF/9cGMqrBZHc= =S7Fs -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [+] Vulnerability in less version 394 and prior glopeda . com (Oct 30)
- Re: [+] Vulnerability in less version 394 and prior fdlist (Oct 30)
- Re: [+] Vulnerability in less version 394 and prior Jonathan Smith (Oct 30)
- Message not available
- Re: [+] Vulnerability in less version 394 and prior Jeffrey Denton (Oct 31)
- Re: [+] Vulnerability in less version 394 and prior glopeda . com (Oct 31)
- Re: [+] Vulnerability in less version 394 and prior Jeffrey Denton (Oct 31)