Security update for less SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20394-1 Final 1 1 2025-06-08T13:39:11Z current 2025-06-08T13:39:11Z 2025-06-08T13:39:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for less This update for less fixes the following issues: - Updated to version 668 * Fixed crash when using --header on command line * Fixed possible crash when scrolling left/right or toggling -S * Fixed bug when using #stop in a lesskey file * Fixed bug when using --shift or --match-shift on command line with a parameter starting with '.' * Fixed bug in R command when file size changes * Fixed bug using --header when file does not fill screen * Fixed ^X bug when output is not a terminal * Fixed bug where ^Z is not handled immediately * Fixed bug where first byte from a LESSOPEN filter is deleted if it is greater than 0x7F * Fixed uninitialized variable in edit_ifile * Fixed incorrect handling of UTF-8 chars in prompts - Change preprocessor dependencies from Requires to Recommends. It's disabled by default and they are not necessary for less. - Updated to version 661: * fixed crash - buffer overflow by one in fexpand * fixed free(): double free detected in tcache 2 * fixed segmentation fault on line-num-width & -N - Updated to version 656: * Add ^O^N, ^O^P, ^O^L and ^O^O commands and mouse clicks (with --mouse) to find and open OSC8 hyperlinks (github #251). * Add --match-shift option. * Add --lesskey-content option (github #447). * Add LESSKEY_CONTENT environment variable (github #447). * Add --no-search-header-lines and --no-search-header-columns options (github #397). * Add ctrl-L search modifier (github #367). * A ctrl-P at the start of a shell command suppresses the "done" message (github #462). * Add attribute characters ('*', '~', '_', '&') to --color parameter (github #471). * Allow expansion of environment variables in lesskey files. * Add LESSSECURE_ALLOW environment variable (github #449). * Add LESS_UNSUPPORT environment variable. * Add line number parameter to --header option (github #436). * Mouse right-click jumps to position marked by left-click (github #390). * Ensure that the target line is not obscured by a header line set by --header (github #444). * Change default character set to "utf-8", except remains "dos" on MS-DOS. * Add message when search with ^W wraps (github #459). * UCRT builds on Windows 10 and later now support Unicode file names (github #438). * Improve behavior of interrupt while reading non-terminated pipe (github #414). * Improve parsing of -j, -x and -# options (github #393). * Support files larger than 4GB on Windows (github #417). * Support entry of Unicode chars larger than U+FFFF on Windows (github #391). * Improve colors of bold, underline and standout text on Windows. * Allow --rscroll to accept non-ASCII characters (github #483). * Allow the parameter to certain options to be terminated with a space (--color, --quotes, --rscroll, --search-options and --intr) (github #495). * Fix bug where # substitution failed after viewing help (github #420). * Fix crash if files are deleted while less is viewing them (github #404). * Workaround unreliable ReadConsoleInputW behavior on Windows with non-ASCII input. * Fix -J display when searching for non-ASCII characters (github #422). * Don't filter header lines via the & command (github #423). * Fix bug when horizontally shifting long lines (github #425). * Add -x and -D options to lesstest, to make it easier to diagnose a failed lesstest run. * Fix bug searching long lines with --incsearch and -S (github #428). * Fix bug that made ESC-} fail if top line on screen was empty (github #429). * Fix bug with --mouse on Windows when used with pipes (github #440). * Fix bug in --+OPTION command line syntax. * Fix display bug when using -w with an empty line with a CR/LF line ending (github #474). * When substituting '#' or '%' with a filename, quote the filename if it contains a space (github #480). * Fix wrong sleep time when system has usleep but not nanosleep (github #489). * Fix bug when file name contains a newline (CVE-2024-32487, bsc#1222849). * Fix bug when file name contains nonprintable characters (github #503). * Fix DJGPP build (github #497). * Update Unicode tables. - add zstd support to lessopen - Updated to 643: * Fixed problem when a program piping into less reads from the tty, like sudo asking for password (github #368). * Fixed search modifier ^E after ^W. * Fixed bug using negated (^N) search (github #374). * Fixed bug setting colors with -D on Windows build (github #386). * Fixed reading special chars like PageDown on Windows (github #378). * Fixed mouse wheel scrolling on Windows (github #379). * Fixed erroneous EOF when terminal window size changes (github #372). * Fixed compile error with some definitions of ECHONL (github #395). * Fixed crash on Windows when writing logfile (github #405). * Fixed regression in exit code when stdin is /dev/null and output is a file (github #373). * Add lesstest test suite to production release (github #344). * Change lesstest output to conform with automake Simple Test Format (github #399). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-139 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520394-1/ Link for SUSE-SU-2025:20394-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040305.html E-Mail link for SUSE-SU-2025:20394-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1047218 SUSE Bug 1047218 https://bugzilla.suse.com/1222849 SUSE Bug 1222849 https://bugzilla.suse.com/915387 SUSE Bug 915387 https://www.suse.com/security/cve/CVE-2024-32487/ SUSE CVE CVE-2024-32487 page SUSE Linux Micro 6.1 less-668-slfo.1.1_1.1 less-668-slfo.1.1_1.1 as a component of SUSE Linux Micro 6.1 less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. CVE-2024-32487 SUSE Linux Micro 6.1:less-668-slfo.1.1_1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520394-1/ https://www.suse.com/security/cve/CVE-2024-32487.html CVE-2024-32487 https://bugzilla.suse.com/1222849 SUSE Bug 1222849