Lucene search

Gentoo FoundationGLSA-202211-02

HistoryNov 10, 2022 - 12:00 a.m.

lesspipe: Arbitrary Code Exeecution

2022-11-1000:00:00

Gentoo Foundation

security.gentoo.org

lesspipe

arbitrary code execution

perl storable files

update

version 2.06

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

68.6%

JSON

Background

lesspipe is a preprocessor for less.

Description

lesspipe has support for parsing Perl storable (“PST”) files,

Impact

A crafted Perl storable file which is passed into lesspipe could result in arbitrary code execution.

Workaround

There is no known workaround at this time.

Resolution

All lesspipe users should update to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=app-text/lesspipe-2.06"

OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-text/lesspipe< 2.06UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	app-text/lesspipe	< 2.06	UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

68.6%

JSON

Related for GLSA-202211-02