From https://github.com/wofr06/lesspipe/releases/tag/v2.06: "The support for perl storable (pst) files was removed for security reasons." And see https://github.com/wofr06/lesspipe/commit/a5610c106f38570040de4d76c0ed1c6af74e9a7c. No details though.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb2641741479ad64a0959c6eb3b80c4b6106e056 commit bb2641741479ad64a0959c6eb3b80c4b6106e056 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-18 02:58:18 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-18 03:09:57 +0000 app-text/lesspipe: add 2.06 Bug: https://bugs.gentoo.org/865631 Signed-off-by: Sam James <sam@gentoo.org> app-text/lesspipe/Manifest | 1 + app-text/lesspipe/lesspipe-2.06.ebuild | 52 ++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+)
Please cleanup
Upstream pointed me to some references that they were given in the original vulnerability report: "In lesspipe 2.02, you added support for Perl Storable files using `perl -MStorable=retrieve`. By design, this function is not secure against untrusted input, and can be exploited for arbitrary code execution: https://perldoc.perl.org/Storable#SECURITY-WARNING https://www.masteringperl.org/2012/12/the-storable-security-problem/ https://twitter.com/dozernz/status/1167226128559263744" And from the perl.org link, "Finally, the deserialized object's destructors will be invoked when the objects get destroyed in the deserializing process. Maliciously crafted Storable documents may put such objects in the value of a hash key that is overridden by another key/value pair in the same hash, thus causing immediate destructor execution." So this seems like a code execution vulneraiblity. Upstream opted not to make an advisory due to the significant amount of user cooperation required to open a crafted PST.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38bdda86e54a0645a606392dae2ed41c68127c4e commit 38bdda86e54a0645a606392dae2ed41c68127c4e Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-28 19:42:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-28 19:49:58 +0000 app-text/lesspipe: drop 2.05-r1 Bug: https://bugs.gentoo.org/865631 Signed-off-by: Sam James <sam@gentoo.org> app-text/lesspipe/Manifest | 1 - app-text/lesspipe/lesspipe-2.05-r1.ebuild | 47 ------------------------------- 2 files changed, 48 deletions(-)
GLSA request filed. Need to request CVE.
(In reply to John Helmert III from comment #5) > GLSA request filed. Need to request CVE. Requested.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d2caa7d73160aa5b9c9cda07665068a8b25fa730 commit d2caa7d73160aa5b9c9cda07665068a8b25fa730 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-10 16:33:11 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-10 16:36:02 +0000 [ GLSA 202211-02 ] lesspipe: Arbitrary Code Exeecution Bug: https://bugs.gentoo.org/865631 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-02.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
