less out of bounds read access - TFPA 002/2014 https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html An out of bounds read access in the UTF-8 decoding can be triggered with a malformed file in the tool less. The access happens in the function is_utf8_well_formed (charset.c, line 534) due to a truncated multibyte character in the sample file. It affects the latest upstream less version 470. The bug does not crash less, it can only be made visible by running less with valgrind or compiling it with Address Sanitizer. The security impact is likely minor as it is only an invalid read access. This issue has been found with the help of Address Sanitizer. The upstream developers have been informed about this issue on 4th November 2014, no fix is available yet. The less webpage has no bug tracker, no open mailing list and no other way to publicly report and document bugs. Conclusion Even tools that only do very minor file parsing can expose bugs due to charset encoding, especially in multibyte characters. Please note that the bigger security threat in less comes from the use of lesspipe. It is unsettling that the upstream project of an important tool like less is completely unresponsive to bugs and has no public way to discuss them. less out of bounds read sample with gif header https://crashes.fuzzing-project.org/TFPA-2014-002-less-oob simpler sample with no header, only works when LESSOPEN is not set https://crashes.fuzzing-project.org/TFPA-2014-002-less-oob-no-lesspipe OSVDB 115007 : less GIF File Handling Out-of-bounds Read Issue http://osvdb.org/show/osvdb/115007 Discussion of lesspipe security issues on oss-security http://seclists.org/oss-sec/2014/q4/769 -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42