oss-sec mailing list archives
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)
From: Bernhard Hermann <bernhard.hermann () gmail com>
Date: Sun, 23 Nov 2014 15:19:36 +0100
I agree to both of you and to me it is an important issue. I don't want to be infected with malware while checking whether a file is malware :-( or my distro doing something in the background that I'm not even aware of. Unfortunately I don't feel like I'm up to the task. But I would be very glad if others (you two seem very qualified to me) would tackle these problems. If money can help with this I'd be willing to throw in a few dozen currency units to support this cause. (I hope that doesn't reduce intrinsic motivation?) br, BH On 23 Nov 2014 10:52, "Hanno Böck" <hanno () hboeck de> wrote:
On Sun, 23 Nov 2014 01:24:11 -0800 Michal Zalewski <lcamtuf () coredump cx> wrote:WDYT?lesspipe is a tough one. First of all let me remind that I recently found an out of bounds access in less's unicode decoding itself. Upstream is not responsing atm. It's only a read error, but it was not even fuzzing, it was an accidental finding, I'd expect that further analysis might yield to more. Now lesspipe: I didn't know that this thing exists until very recently but I was aware that less did some kind of parsing and e.g. I quite liked the idea that you can "less" gz/bzip2 files. Actually leaving security asside I quite like the idea of lesspipe, so I'm reluctant to say "lesspipe scripts have gotta die / be disabled". That said the alternative is a tough one. It would be something like this: * Fuzz all the things in lesspipe * Report what you find * Kill the tools that have unsatisfying upstream reactions and replace them with more secure ones. And even after doing this this probably wouldn't count as a high security solution. I'm aware this feels like a huge effort, but actually it fits very well in the project I'm about to start anyway. And lesspipe gives a good starting point to what tools might deserve some more fuzzing. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Current thread:
- so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michal Zalewski (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Bernhard Hermann (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Lionel Debroux (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michael Samuel (Nov 23)
- CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we do something about lesspipe? (+ a cpio bug to back up the argument)] Murray McAllister (Nov 24)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)