[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] less out of bounds read access - TFPA 002/2014
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno () hboeck ! de>
Date: 2014-11-30 12:14:12
Message-ID: 20141130131412.6f185724 () pc
[Download RAW message or body]
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
[Attachment #2 (multipart/signed)]
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
less out of bounds read access - TFPA 002/2014
https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html
An out of bounds read access in the UTF-8 decoding can be triggered
with a malformed file in the tool less. The access happens in the
function is_utf8_well_formed (charset.c, line 534) due to a truncated
multibyte character in the sample file. It affects the latest upstream
less version 470. The bug does not crash less, it can only be made
visible by running less with valgrind or compiling it with Address
Sanitizer. The security impact is likely minor as it is only an invalid
read access.
This issue has been found with the help of Address Sanitizer.
The upstream developers have been informed about this issue on 4th
November 2014, no fix is available yet. The less webpage has no bug
tracker, no open mailing list and no other way to publicly report and
document bugs.
Conclusion
Even tools that only do very minor file parsing can expose bugs due to
charset encoding, especially in multibyte characters. Please note that
the bigger security threat in less comes from the use of lesspipe.
It is unsettling that the upstream project of an important tool like
less is completely unresponsive to bugs and has no public way to
discuss them.
less out of bounds read sample with gif header
https://crashes.fuzzing-project.org/TFPA-2014-002-less-oob
simpler sample with no header, only works when LESSOPEN is not set
https://crashes.fuzzing-project.org/TFPA-2014-002-less-oob-no-lesspipe
OSVDB 115007 : less GIF File Handling Out-of-bounds Read Issue
http://osvdb.org/show/osvdb/115007
Discussion of lesspipe security issues on oss-security
http://seclists.org/oss-sec/2014/q4/769
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: BBB51E42
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic