less pager

The less pager, a decades-old utility trusted by sysadmins and scripts, contains a dangerous flaw (CVE-2024-32487) that can turn an innocuous filename into an operator for arbitrary commands. The bug affects less through version 653: quoting is mishandled in filename.c, allowing a filename containing a newline to inject shell syntax into the input preprocessor command line when the LESSOPEN mechanism is active. An attacker who can deliver attacker-controlled filenames (e.g., from an untrusted archive) can cause less to execute commands in the context of the user who opens the file list. The flaw was publicly disclosed in April 2024 and has implications for security on systems using the less pager.