Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20150310201236.74af14e9@pc1.fritz.box>
Date: Tue, 10 Mar 2015 20:12:36 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: less invalid memory access fixed (CVE-2014-9488)

I stumbled over an invalid memory access in less a while ago:
https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html

While I never got a reply from the less developers it seems with
version 475 they finally fixed it. They don't have any release
announcements or public repositories, but there is a mentioning in the
file version.c probably related:
+v475  3/2/15    Fix possible buffer overrun with invalid UTF-8; 
+                fix bug when compiled with no regex; fix non-match
  search.

This is likely the change that fixes this bug (but I haven't verified
that, there are multiple things changed between 474 and 475):

--- less-474/line.c	2015-01-31 00:20:29.000000000 +0100
+++ less-475/line.c	2015-03-05 20:07:08.000000000 +0100
@@ -807,7 +807,7 @@
 			mbc_buf[mbc_buf_index++] = c;
 			if (mbc_buf_index < mbc_buf_len)
 				return (0);
-			if (is_utf8_well_formed(mbc_buf))
+			if (is_utf8_well_formed(mbc_buf,
mbc_buf_index)) r = do_append(get_wchar(mbc_buf), mbc_buf, mbc_pos);
 			else
 				/* Complete, but not shortest form,
 				sequence. */


If mitre and osvdb maintainers read this: please update the entries in
your databases accordingly.

I'll also update the blog post / advisory.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.