Headline
Ubuntu Security Notice USN-6756-1
Ubuntu Security Notice 6756-1 - It was discovered that less mishandled newline characters in file names. If a user or automated system were tricked into opening specially crafted files, an attacker could possibly use this issue to execute arbitrary commands on the host.
==========================================================================
Ubuntu Security Notice USN-6756-1
April 29, 2024
less vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
less could be made run programs as your login if it opened a specially
crafted file.
Software Description:
- less: pager program similar to more
Details:
It was discovered that less mishandled newline characters in file names. If
a user or automated system were tricked into opening specially crafted
files, an attacker could possibly use this issue to execute arbitrary
commands on the host.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
less 590-2ubuntu2.1
Ubuntu 23.10
less 590-2ubuntu0.23.10.2
Ubuntu 22.04 LTS
less 590-1ubuntu0.22.04.3
Ubuntu 20.04 LTS
less 551-1ubuntu0.3
Ubuntu 18.04 LTS
less 487-0.1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
less 481-2.1ubuntu0.2+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
less 458-2ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6756-1
CVE-2024-32487
Package Information:
https://launchpad.net/ubuntu/+source/less/590-2ubuntu2.1
https://launchpad.net/ubuntu/+source/less/590-2ubuntu0.23.10.2
https://launchpad.net/ubuntu/+source/less/590-1ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/less/551-1ubuntu0.3
Related news
Red Hat Security Advisory 2024-4529-03 - An update for less is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4528-03 - An update for less is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4418-03 - An update for less is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4416-03 - An update for less is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-4256-03 - An update for less is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-3669-03 - An update for less is now available for Red Hat Enterprise Linux 7. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-3513-03 - An update for less is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.
Debian Linux Security Advisory 5679-1 - Several vulnerabilities were discovered in less, a file pager, which may result in the execution of arbitrary commands if a file with a specially crafted file name is processed.