Amazon Linux 1 Security Advisory: ALAS-2025-1958
Advisory Release Date: 2025-01-30 04:16 Pacific
Advisory Updated Date: 2025-02-05 10:41 Pacific
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. (CVE-2024-32487)
Affected Packages:
less
Issue Correction:
Run yum update less to update your system.
i686:
less-436-13.14.amzn1.i686
less-debuginfo-436-13.14.amzn1.i686
src:
less-436-13.14.amzn1.src
x86_64:
less-debuginfo-436-13.14.amzn1.x86_64
less-436-13.14.amzn1.x86_64