CVE-2014-9488

Vulnerability

The is_utf8_well_formed function in charset.c (line 534) of GNU less before version 475 contains an out-of-bounds read vulnerability. A malformed UTF-8 file with a truncated multibyte character can trigger the read beyond allocated buffer boundaries [1]. This affects less versions prior to 475.

Exploitation

An attacker can exploit this by providing a specially crafted file containing malformed UTF-8 sequences to a user who opens it with less. No authentication or special privileges are required; the user only needs to view the file. The out-of-bounds read does not crash less but can be detected with memory debugging tools [1].

Impact

The out-of-bounds read may lead to disclosure of adjacent memory contents. The security impact is considered minor as it is only an invalid read access, but it could potentially leak sensitive information [1]. The exact impact is unspecified in the CVE description.

Mitigation

The issue is fixed in GNU less version 475, released on March 2, 2015 [1]. Users should upgrade to version 475 or later. Distributions such as Mageia have provided updated packages (e.g., less-458-2.1.mga4) [2]. No workaround is available for earlier versions.