That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/04/12/5 https://www.openwall.com/lists/oss-security/2024/04/12/6 https://www.openwall.com/lists/oss-security/2024/04/13/2 https://www.openwall.com/lists/oss-security/2024/04/15/1 The fix is provided in https://www.openwall.com/lists/oss-security/2024/04/13/2 Mageia 9 is also affected.
Suggested advisory: ======================== The updated package fixes a security vulnerability: less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. (CVE-2024-32487) References: https://www.openwall.com/lists/oss-security/2024/04/12/5 https://www.openwall.com/lists/oss-security/2024/04/12/6 https://www.openwall.com/lists/oss-security/2024/04/13/2 https://www.openwall.com/lists/oss-security/2024/04/15/1 ======================== Updated package in core/updates_testing: ======================== less-632-1.2.mga9 from SRPM: less-632-1.2.mga9.src.rpm
Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 9CVE: (none) => CVE-2024-32487Source RPM: (none) => less-632-1.1.mga9.src.rpm
CC: (none) => mageia
Keywords: (none) => advisory
RH mageia 9 x86_64 I can't reproduce the issue following https://www.openwall.com/lists/oss-security/2024/04/12/5 example LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing less-632-1.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: less ################################################################################################## 1/1: removing less-632-1.1.mga9.x86_64 ################################################################################################## ---------------------------------------------------------------------- More information on package less-632-1.2.mga9.x86_64 This version of less includes lesspipe.sh from Wolfgang Friebel ( https://www-zeuthen.desy.de/~friebel//unix/less/ ). This enables you to view gz, bz2, lzma, zip, rpm and html files among others with less. It works by setting the LESSOPEN environment variable, see the man pages for details. If you want to disable this behavior, either use 'unset LESSOPEN' or use an alias ( alias less='less -l' ). less will open html files with lynx, then html2text, then cat if none of the previous were found. ---------------------------------------------------------------------- Still can't reproduce the fail what is good, I think :) Tested with some files, looks good for me
Go ahead with the OK katnatek.
CC: (none) => tarazed25
mga9-64 OK simple usage test.
CC: (none) => fri
CC: (none) => andrewsfarm
(In reply to Len Lawrence from comment #3) > Go ahead with the OK katnatek. I just did want more eyes on this
Whiteboard: (none) => MGA9-64-OK
RH mageia 9 i586 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "BDK-Free-i586" is up-to-date medium "BDK-Free-noarch" is up-to-date medium "BDK-NonFree-i586" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date installing less-632-1.2.mga9.i586.rpm from //home/katnatek/qa-testing/i586 Preparing... ####################################################### 1/1: less ####################################################### 1/1: removing less-632-1.1.mga9.i586 ####################################################### ---------------------------------------------------------------------- More information on package less-632-1.2.mga9.i586 This version of less includes lesspipe.sh from Wolfgang Friebel ( https://www-zeuthen.desy.de/~friebel//unix/less/ ). This enables you to view gz, bz2, lzma, zip, rpm and html files among others with less. It works by setting the LESSOPEN environment variable, see the man pages for details. If you want to disable this behavior, either use 'unset LESSOPEN' or use an alias ( alias less='less -l' ). less will open html files with lynx, then html2text, then cat if none of the previous were found. ---------------------------------------------------------------------- Issue in https://www.openwall.com/lists/oss-security/2024/04/12/5 is not reproducible before or after install the testing packages Test open some files with less not issues detected
Whiteboard: MGA9-64-OK => MGA9-64-OK,MGA9-32-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0139.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED