Updated less packages fix security vulnerability
Publication date: 19 Apr 2024Modification date: 19 Apr 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-32487
Description
less through 653 allows OS command execution via a newline character in
the name of a file, because quoting is mishandled in filename.c.
Exploitation typically requires use with attacker-controlled file names,
such as the files extracted from an untrusted archive. Exploitation also
requires the LESSOPEN environment variable, but this is set by default
in many common cases. (CVE-2024-32487)
References
- https://bugs.mageia.org/show_bug.cgi?id=33102
- https://www.openwall.com/lists/oss-security/2024/04/12/5
- https://www.openwall.com/lists/oss-security/2024/04/12/6
- https://www.openwall.com/lists/oss-security/2024/04/13/2
- https://www.openwall.com/lists/oss-security/2024/04/15/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32487
SRPMS
9/core
- less-632-1.2.mga9