From db@trunet.dk Wed Sep 21 12:57:04 2005 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F098E16A41F for ; Wed, 21 Sep 2005 12:57:04 +0000 (GMT) (envelope-from db@trunet.dk) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91FFF43D45 for ; Wed, 21 Sep 2005 12:57:04 +0000 (GMT) (envelope-from db@trunet.dk) Received: from user3.cybercity.dk (user3.cybercity.dk [212.242.41.36]) by cicero1.cybercity.dk (Postfix) with ESMTP id 70BFF7E2D91 for ; Wed, 21 Sep 2005 14:57:02 +0200 (CEST) Received: from work.trunet.dk (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user3.cybercity.dk (Postfix) with ESMTP id 2911F93C2A for ; Wed, 21 Sep 2005 14:57:02 +0200 (CEST) Message-Id: <1127314725.0@work.trunet.dk> Date: Wed, 21 Sep 2005 14:58:45 -0000 From: "Daniel Blankensteiner" To: "FreeBSD gnats submit" Subject: /usr/bin/more segmentation fault X-Send-Pr-Version: gtk-send-pr 0.4.6 X-GNATS-Notify: >Number: 86405 >Category: bin >Synopsis: more(1) segmentation fault >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Sep 21 13:00:23 GMT 2005 >Closed-Date: >Last-Modified: Thu May 01 07:12:52 UTC 2008 >Originator: Daniel Blankensteiner >Release: FreeBSD 5.4-SECURITY i386 >Organization: >Environment: System: FreeBSD 5.4-SECURITY #0: Wed Jul 20 08:57:11 UTC 2005 root@builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC >Description: Using the 'k' option can make /usr/bin/more segmentation fault with some files. Try with wxglade-0.4-setup.exe from http://sourceforge.net/projects/wxglade >How-To-Repeat: more -k wxglade-0.4-setup.exe >Fix: >Release-Note: >Audit-Trail: From: Giorgos Keramidas To: Daniel Blankensteiner Cc: bug-followup@freebsd.org Subject: Re: bin/86405: /usr/bin/more segmentation fault Date: Wed, 21 Sep 2005 17:22:53 +0300 On 2005-09-21 14:58, Daniel Blankensteiner wrote: > Using the 'k' option can make /usr/bin/more segmentation fault with > some files. Try with wxglade-0.4-setup.exe from > http://sourceforge.net/projects/wxglade > > more -k wxglade-0.4-setup.exe Interesting. Since our more(1) is basically a hard link to less(1) flame:/home/keramida$ ls -ldi `which more` `which less` 400974 -r-xr-xr-x 2 root wheel - 115128 Sep 21 10:21 /usr/bin/less 400974 -r-xr-xr-x 2 root wheel - 115128 Sep 21 10:21 /usr/bin/more flame:/home/keramida$ it would be nice to check newer versions of less (i.e. from the ports?) and see if this is fixed already upstream. From: Nate Eldredge To: bug-followup@FreeBSD.org, db@trunet.dk Cc: Subject: Re: bin/86405: /usr/bin/more segmentation fault Date: Thu, 13 Oct 2005 16:24:39 -0700 (PDT) I think this might be a case of "don't do that". -k tells more/less to read its keybindings from the specified file. This is in a special format generated by the lesskey program. A comment at decode.c:666 admits that minimal error checking is done and a bad file will "produce strange results". Given that this is a problem that can only arise through intentional misuse, I don't think anyone is going to be that interested in fixing it. If you want to do so, I would suggest you deal with the upstream people. It shouldn't be a security problem since if you can run less, you can already execute arbitrary commands (try the ! command inside less). less does have a "secure" mode in which these things are disabled, and in that case the -k option is disabled as well. All IMHO. -- Nate Eldredge nge@cs.hmc.edu From: "db@trunet.dk" To: Nate Eldredge , bug-followup@freebsd.org Cc: Subject: Re: bin/86405: /usr/bin/more segmentation fault Date: Sat, 15 Oct 2005 19:26:24 +0000 On Thursday 13 October 2005 23:24, you wrote: > I think this might be a case of "don't do that". I will strongly disagree on "don't do that" fixes, when we are talking about a segmentation fault in a program, that is part of the base system. > It shouldn't be a security problem since if you can run less, you can > already execute arbitrary commands (try the ! command inside less). less > does have a "secure" mode in which these things are disabled, and in that > case the -k option is disabled as well. I agree that it shouldn't be a security problem though. Best regards db >Unformatted: