OpenSuSE has issued an advisory today (March 25): http://lists.opensuse.org/opensuse-updates/2015-03/msg00077.html Patch checked into Mageia 4 and Cauldron SVN. Freeze push requested. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated less package fixes security vulnerability: Malformed UTF-8 data could have caused an out of bounds read in the UTF-8 decoding routines, causing an invalid read access (CVE-2014-9488). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9488 http://lists.opensuse.org/opensuse-updates/2015-03/msg00077.html ======================== Updated packages in core/updates_testing: ======================== less-458-2.1.mga4 from less-458-2.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
PoC information here: https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html
Testing complete mga4 64 opened a couple of PoC files with less and also $ less /usr/share/doc/less/README.urpmi
Whiteboard: (none) => has_procedure mga4-64-ok
Validating. Advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok advisoryCC: (none) => sysadmin-bugs
Thanks Claire. I can confirm your testing results on Mageia 4 i586.
Whiteboard: has_procedure mga4-64-ok advisory => has_procedure mga4-32-ok mga4-64-ok advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0139.html
Status: NEW => RESOLVEDResolution: (none) => FIXED