Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)

[Hanno Böck <hanno () hboeck de>]

On Sun, 23 Nov 2014 01:24:11 -0800
Michal Zalewski <lcamtuf () coredump cx> wrote:

> WDYT?

lesspipe is a tough one.

First of all let me remind that I recently found an out of bounds
access in less's unicode decoding itself. Upstream is not responsing
atm. It's only a read error, but it was not even fuzzing, it was an
accidental finding, I'd expect that further analysis might yield to
more.


Now lesspipe: I didn't know that this thing exists until very
recently but I was aware that less did some kind of parsing and e.g. I
quite liked the idea that you can "less" gz/bzip2 files.

Actually leaving security asside I quite like the idea of lesspipe, so
I'm reluctant to say "lesspipe scripts have gotta die / be disabled".

That said the alternative is a tough one. It would be something
like this:
* Fuzz all the things in lesspipe
* Report what you find
* Kill the tools that have unsatisfying upstream reactions and replace
  them with more secure ones.
And even after doing this this probably wouldn't count as a high
security solution.

I'm aware this feels like a huge effort, but actually it fits very
well in the project I'm about to start anyway. And lesspipe gives a good
starting point to what tools might deserve some more fuzzing.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description: