Bug 65159 (CVE-2005-0086)

Summary: VUL-0: CVE-2005-0086: less: heap-based overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Petr Mladek <pmladek>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0086: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-01-25 19:01:18 UTC 
Hi, 
we received the following through vendor-sec. 
 
From: Josh Bressers <bressers@redhat.com> 
To: vendor-sec@lst.de 
User-Agent: Mutt/1.4.1i 
Subject: [vendor-sec] Issue with older versions of less 
Errors-To: vendor-sec-admin@lst.de 
Date: Mon, 24 Jan 2005 13:39:29 -0500 
 
I don't know exactly which version of less this issue affects, but I 
figured I'd throw it out here for anyone affected. 
 
This was reported to our bugzilla 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527 
 
Basically, if you view a malicious file with less, it causes a heap buffer 
overflow. 
 
-- 
    JB 
_______________________________________________ 
 
From: Josh Bressers <bressers@redhat.com> 
To: Steve Kemp <skx@debian.org> 
Cc: vendor-sec@lst.de 
Subject: Re: [vendor-sec] Issue with older versions of less 
User-Agent: Mutt/1.4.1i 
Errors-To: vendor-sec-admin@lst.de 
Date: Mon, 24 Jan 2005 15:51:46 -0500 
 
On Mon, Jan 24, 2005 at 06:46:23PM +0000, Steve Kemp wrote: 
> On Mon, Jan 24, 2005 at 01:39:29PM -0500, Josh Bressers wrote: 
> > I don't know exactly which version of less this issue affects, but I 
> > figured I'd throw it out here for anyone affected. 
> 
>   Debian's Woody release is vulnerable, with version 3.74. 
> 
> > This was reported to our bugzilla 
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527 
> 
>   So this is public now?  Is there a CAN ID? 
 
CAN-2005-0086 covers this issue.  It should be considered public as 
anyone 
who looks in the Red Hat bugzilla can see the bug. 
 
-- 
    JB 
_______________________________________________ 
 
From: Solar Designer <solar@openwall.com> 
To: Josh Bressers <bressers@redhat.com> 
Cc: vendor-sec@lst.de 
Subject: Re: [vendor-sec] Issue with older versions of less 
User-Agent: Mutt/1.4.2.1i 
Errors-To: vendor-sec-admin@lst.de 
Date: Mon, 24 Jan 2005 21:55:48 +0300 
 
Josh, 
 
Thanks.  FWIW, this does not appear to affect less-358.  It does not 
crash with the testcase, not even when I set a UTF-8 locale, and the 
source code lacks context touched by the proposed patch. 
 
-- 
/sd 
 
On Mon, Jan 24, 2005 at 01:39:29PM -0500, Josh Bressers wrote: 
> I don't know exactly which version of less this issue affects, but I 
> figured I'd throw it out here for anyone affected. 
> 
> This was reported to our bugzilla 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527 
> 
> Basically, if you view a malicious file with less, it causes a heap buffer 
> overflow. 
> 
> -- 
>     JB 
_______________________________________________ 
 
From: "Jacques A. Vidrine" <nectar@FreeBSD.org> 
To: Solar Designer <solar@openwall.com> 
Cc: Josh Bressers <bressers@redhat.com>, vendor-sec@lst.de 
Subject: Re: [vendor-sec] Issue with older versions of less 
User-Agent: Mutt/1.5.6i 
Errors-To: vendor-sec-admin@lst.de 
Date: Mon, 24 Jan 2005 13:35:31 -0600 
 
On Mon, Jan 24, 2005 at 09:55:48PM +0300, Solar Designer wrote: 
> Josh, 
> 
> Thanks.  FWIW, this does not appear to affect less-358.  It does not 
> crash with the testcase, not even when I set a UTF-8 locale, and the 
> source code lacks context touched by the proposed patch. 
 
FreeBSD 4.x ships with less-358.  FreeBSD 5.x ships with less-381. 
Neither of these appears to be vulnerable:  the test case does not 
cause a segfault, and the code does not contain a `charset' buffer. 
 
Hmm, the bug report mentions less-378-11.  Is there some 3rd-party 
patch applied to the RedHat less, perhaps for better i18n support? 
 
Cheers, 
-- 
Jacques A Vidrine / NTT/Verio 
nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org 
_______________________________________________
Comment 1 Thomas Biege 2005-01-25 19:01:18 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Petr Mladek 2005-01-25 21:46:20 UTC 
I am going to investigate if our packages are affected.
Comment 3 Petr Mladek 2005-01-25 23:58:20 UTC 
Our less is not affected! I have checked all package sources from SL 8.1
to STABLE and everything looks fine.

The vulnerability is related to the iso254.patch but we use a fixed version of
the   patch. Our patch already includes the code that fixes the bug 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527
Finally, our less does not crash with the sample file attached to the same Red
Hat's bug.

So, I'll close this bug as INVALID.
Comment 4 Thomas Biege 2005-01-26 00:15:15 UTC 
Great, thanks.
Comment 5 Thomas Biege 2009-10-13 21:00:22 UTC 
CVE-2005-0086: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)