Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 Nov 2014 10:52:19 +0100
From: Hanno Böck <>
Subject: Re: so, can we do something about lesspipe? (+ a
 cpio bug to back up the argument)

On Sun, 23 Nov 2014 01:24:11 -0800
Michal Zalewski <> wrote:


lesspipe is a tough one.

First of all let me remind that I recently found an out of bounds
access in less's unicode decoding itself. Upstream is not responsing
atm. It's only a read error, but it was not even fuzzing, it was an
accidental finding, I'd expect that further analysis might yield to

Now lesspipe: I didn't know that this thing exists until very
recently but I was aware that less did some kind of parsing and e.g. I
quite liked the idea that you can "less" gz/bzip2 files.

Actually leaving security asside I quite like the idea of lesspipe, so
I'm reluctant to say "lesspipe scripts have gotta die / be disabled".

That said the alternative is a tough one. It would be something
like this:
* Fuzz all the things in lesspipe
* Report what you find
* Kill the tools that have unsatisfying upstream reactions and replace
  them with more secure ones.
And even after doing this this probably wouldn't count as a high
security solution.

I'm aware this feels like a huge effort, but actually it fits very
well in the project I'm about to start anyway. And lesspipe gives a good
starting point to what tools might deserve some more fuzzing.

Hanno Böck


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.