oss-sec mailing list archives
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)
From: Michael Samuel <mik () miknet net>
Date: Mon, 24 Nov 2014 11:25:34 +1100
On 23 November 2014 at 20:24, Michal Zalewski <lcamtuf () coredump cx> wrote:
Ultimately, I think that there's an expectation that running less on a downloaded file won't lead to RCE, and the lesspipe behavior in many distros is almost certainly violating that. I'm also not sure if the automation actually scratches any real itch - I doubt that people try to run 'less' on CD images or ar archives when knowingly working with files of that sort. WDYT?
It's distros that are shipping the lesspipe defaults (AFAIK), and at-least the ones you mentioned have "sandbox" capabilities. I think it's reasonable on Ubuntu and RHEL to use AppArmor/SELinux to be paranoid in a lesspipe context (eg. not allow access to private files etc - it pipes right?). Regards, Michael
Current thread:
- so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michal Zalewski (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Bernhard Hermann (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Lionel Debroux (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michael Samuel (Nov 23)
- CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we do something about lesspipe? (+ a cpio bug to back up the argument)] Murray McAllister (Nov 24)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)