Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2024-32487

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.

Related bugs and status

CVE-2024-32487 (Candidate) is related to these bugs:

Bug #2064863: [Debian] High CVE: CVE-2022-48624/CVE-2024-32487 less : multiple CVEs

Summary				In	Importance	Status
	2064863	[Debian] High CVE: CVE-2022-48624/CVE-2024-32487 less : multiple CVEs		StarlingX	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://github.com/gws...
MISC: https://www.openwall.c...
MISC: https://www.openwall.c...