Описание
Security update for less
This update for less fixes the following issues:
- CVE-2024-32487: Fixed mishandling of \n character in paths when LESSOPEN is set leads to OS command execution. (bsc#1222849)
Список пакетов
Image SLES12-SP5-Azure-BYOS
less-458-7.15.1
Image SLES12-SP5-Azure-Basic-On-Demand
less-458-7.15.1
Image SLES12-SP5-Azure-HPC-BYOS
less-458-7.15.1
Image SLES12-SP5-Azure-HPC-On-Demand
less-458-7.15.1
Image SLES12-SP5-Azure-SAP-BYOS
less-458-7.15.1
Image SLES12-SP5-Azure-SAP-On-Demand
less-458-7.15.1
Image SLES12-SP5-Azure-Standard-On-Demand
less-458-7.15.1
Image SLES12-SP5-EC2-BYOS
less-458-7.15.1
Image SLES12-SP5-EC2-On-Demand
less-458-7.15.1
Image SLES12-SP5-EC2-SAP-BYOS
less-458-7.15.1
Image SLES12-SP5-EC2-SAP-On-Demand
less-458-7.15.1
Image SLES12-SP5-GCE-BYOS
less-458-7.15.1
Image SLES12-SP5-GCE-On-Demand
less-458-7.15.1
Image SLES12-SP5-GCE-SAP-BYOS
less-458-7.15.1
Image SLES12-SP5-GCE-SAP-On-Demand
less-458-7.15.1
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
less-458-7.15.1
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
less-458-7.15.1
SUSE Linux Enterprise Server 12 SP5
less-458-7.15.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
less-458-7.15.1
Ссылки
- Link for SUSE-SU-2024:1550-1
- E-Mail link for SUSE-SU-2024:1550-1
- SUSE Security Ratings
- SUSE Bug 1222849
- SUSE CVE CVE-2024-32487 page
Описание
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
Затронутые продукты
Image SLES12-SP5-Azure-BYOS:less-458-7.15.1
Image SLES12-SP5-Azure-Basic-On-Demand:less-458-7.15.1
Image SLES12-SP5-Azure-HPC-BYOS:less-458-7.15.1
Image SLES12-SP5-Azure-HPC-On-Demand:less-458-7.15.1
Ссылки
- CVE-2024-32487
- SUSE Bug 1222849