[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] gnu-less Format String Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] gnu-less Format String Vulnerability
From: Serkan Akpolat <sakpolat@xxxxxxx>
Date: Wed, 18 Aug 2004 14:26:51 +0300

+-----[ Software ]-----+

Less is a program similar to more, but which allows backward movement in the file as well as forward movement. Also, less does not have to read the entire input file before starting, so with large input files it starts up faster than text editors like vi. Less uses termcap (or terminfo on some systems), so it can run on a variety of terminals. There is even limited support for hardcopy terminals.

+-----[ Tested Versions ]-----+

less-382
less-381
less-358

+-----[ Description ]-----+

Format string vulnerability.


+-----[ Vulnerable Code ]-----+
From less-382:

[filename.c] : 787

    public char *
open_altfile(filename, pf, pfd)
    char *filename;
    int *pf;
    void **pfd;
{
    ...................
    if ((lessopen = lgetenv("LESSOPEN")) == NULL
    ...................
    sprintf(cmd, lessopen, filename); <-- Format String Problem Here
    ...................

}

+-----[ Greets ]-------+

Virulent , gorny and all other netricians

+-----------------------+

+-----[ Contact ]-----+

http://deicide.siyahsapka.org

deicide@xxxxxxxxxxxxxx

+----------------------+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] gnu-less Format String Vulnerability
  - From: Tim

Prev by Date: RE: [Full-Disclosure] lame bitching about xpsp2
Next by Date: RE: [Full-Disclosure] lame bitching about xpsp2 (will it ever sto p ?)
Previous by thread: [Full-Disclosure] [SECURITY] [DSA 540-1] New mysql packages fix insecure temporary file creation
Next by thread: Re: [Full-Disclosure] gnu-less Format String Vulnerability
Index(es):
- Date
- Thread