Resolving CVE-2022-48624 less issue

To resolve the CVE-2022-48624 vulnerability on Ubuntu using Nginx, it's crucial to understand that the issue lies within the "less" package, not Nginx itself. The vulnerability affects "less" before version 606, where close_altfile in filename.c in less omits shell_quote calls for LESSCLOSE, potentially allowing shell command injection.

The current less version is 551, which is vulnerable. You'll need to upgrade "less" to a version at or beyond 606.

CVE-2022-48624
close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.

The vulnerability CVE-2022-48624 is associated with the "less" package to a version that includes the necessary security patches. 

Begin by running a version check

less --version

Response

551

Ensure your package lists and installed packages are updated to their latest versions. This step ensures you have the latest information on available versions of "less".

sudo apt-get update
sudo apt-get install --only-upgrade less

Make sure your package manager installs the latest available version of "less." After the update, you may want to check the version again to confirm that the vulnerability has been addressed:

less --version

Another version check and I'm still at 551.

A good idea to check the latest information by running the following commands in your terminal.  This will show you the available versions of the "less" package in your system's repositories.

sudo apt-get update
apt list -a less

Response

less/focal-updates,focal-security,now 551-1ubuntu0.2 amd64 [installed,automatic]
less/focal 551-1 amd64

As you can see, if the version is still not updated, you may consider one of the following options:

Check for Backports or Third-Party Repositories

Some distributions provide backports or additional repositories with newer software versions. Check if there is a backport or third-party repository that offers a more recent version of "less" for Ubuntu 20.04.

Compile and Install from Source

As mentioned earlier, you can download the source code for "less" from the official website, compile it, and install it manually.

wget https://www.greenwoodsoftware.com/less/less-633.tar.gz
tar -xzf less-633.tar.gz
cd less-633
./configure
make
sudo make install

Whilst executing the command 

./configure

I had the following error

checking for working terminal libraries... Cannot find terminal libraries - configure failed

The error message "Cannot find terminal libraries" indicates that the configure script is unable to locate the necessary terminal libraries required to compile "less" from source. This issue commonly arises due to missing development packages or dependencies on the system.

To resolve this error, install the development packages for terminal libraries. On Ubuntu, you can typically resolve this by installing the ncurses development package. 

sudo apt-get update
sudo apt-get install libncurses5-dev

Once installed the necessary development package, try running ./configure again for "less" compilation. If there are any other missing dependencies, you'll need to install those as well based on the error messages you encounter during the configure process.

After successfully configuring, proceed with the compilation process as follows:

make
sudo make install

This will compile and install the "less" program from source on your system. 

sudo reboot

Make sure to verify the installation by running less --version after installation to ensure that the correct version has been installed.

Now the response is

less 633 (POSIX regular expressions)

Appendix: Responses during the update process

LESS version check

less --version

Response

less 551 (GNU regular expressions)
Copyright (C) 1984-2019  Mark Nudelman

less comes with NO WARRANTY, to the extent permitted by law.
For information about the terms of redistribution,
see the file named README in the less distribution.
Home page: http://www.greenwoodsoftware.com/less

Download LESS 663 version

wget https://www.greenwoodsoftware.com/less/less-633.tar.gz

Response

--2024-03-17 23:41:18--  https://www.greenwoodsoftware.com/less/less-633.tar.gz
Resolving www.greenwoodsoftware.com (www.greenwoodsoftware.com)... 104.200.21.227
Connecting to www.greenwoodsoftware.com (www.greenwoodsoftware.com)|104.200.21.227|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375733 (367K) [application/x-gzip]
Saving to: ‘less-633.tar.gz’

less-633.tar.gz         100%[===============================>] 366.93K   497KB/s    in 0.7s

2024-03-17 23:41:19 (497 KB/s) - ‘less-633.tar.gz’ saved [375733/375733]

Run configure

./configure

Response

checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for library containing strerror... none required
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking whether gcc needs -traditional... no
checking for a BSD-compatible install... /usr/bin/install -c
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for tgoto in -ltinfo... no
checking for tgoto in -ltinfow... no
checking for initscr in -lxcurses... no
checking for initscr in -lncursesw... no
checking for initscr in -lncurses... no
checking for initscr in -lcurses... no
checking for tgetent in -ltermcap... no
checking for tgetent in -ltermlib... no
checking for library containing regcmp... no
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for ctype.h... yes
checking for errno.h... yes
checking for fcntl.h... yes
checking for inttypes.h... (cached) yes
checking for limits.h... yes
checking for stdckdint.h... no
checking for stdio.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for termcap.h... no
checking for ncurses/termcap.h... no
checking for ncursesw/termcap.h... no
checking for termio.h... yes
checking for termios.h... yes
checking for time.h... yes
checking for unistd.h... (cached) yes
checking for values.h... yes
checking for linux/magic.h... yes
checking for sys/ioctl.h... yes
checking for sys/stream.h... no
checking for sys/types.h... (cached) yes
checking for sys/wait.h... yes
checking for wctype.h... yes
checking whether stat file-mode macros are broken... no
checking for an ANSI C-conforming const... yes
checking for off_t... yes
checking for size_t... yes
checking for working terminal libraries... Cannot find terminal libraries - configure failed

Adding missing library

sudo apt-get install libncurses5-dev

Response

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  geoip-database libfwupdplugin1 libgeoip1 libllvm11 libxmlb1 php7.4-fpm php7.4-gd
  php7.4-mysql php7.4-xml
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libncurses-dev
Suggested packages:
  ncurses-doc
The following NEW packages will be installed:
  libncurses-dev libncurses5-dev
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 341 kB of archives.
After this operation, 2404 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 libncurses-dev amd64 6.2-0ubuntu2.1 [340 kB]
Get:2 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 libncurses5-dev amd64 6.2-0ubuntu2.1 [984 B]
Fetched 341 kB in 1s (356 kB/s)
Selecting previously unselected package libncurses-dev:amd64.
(Reading database ... 151791 files and directories currently installed.)
Preparing to unpack .../libncurses-dev_6.2-0ubuntu2.1_amd64.deb ...
Unpacking libncurses-dev:amd64 (6.2-0ubuntu2.1) ...
Selecting previously unselected package libncurses5-dev:amd64.
Preparing to unpack .../libncurses5-dev_6.2-0ubuntu2.1_amd64.deb ...
Unpacking libncurses5-dev:amd64 (6.2-0ubuntu2.1) ...
Setting up libncurses-dev:amd64 (6.2-0ubuntu2.1) ...
Setting up libncurses5-dev:amd64 (6.2-0ubuntu2.1) ...
Processing triggers for man-db (2.9.1-1) ...

Running make command

make

Response

test ! -f stamp-h || CONFIG_FILES= CONFIG_HEADERS=defines.h ./config.status
touch stamp-h
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 main.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 screen.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 brac.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 ch.c
ch.c: In function ‘sync_logfile’:
ch.c:418:5: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result]
  418 |     write(logfile, (char *) bp->data, bp->datasize);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ch.c: In function ‘ch_get’:
ch.c:299:4: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result]
  299 |    write(logfile, (char *) &bp->data[bp->datasize], n);
      |    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 charset.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 cmdbuf.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 command.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 cvt.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 decode.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 edit.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 filename.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 forwback.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 help.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 ifile.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 input.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 jump.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 line.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 linenum.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 lsystem.c
lsystem.c: In function ‘lsystem’:
lsystem.c:119:3: warning: ignoring return value of ‘dup’, declared with attribute warn_unused_result [-Wunused-result]
  119 |   dup(inp);
      |   ^~~~~~~~
lsystem.c:153:2: warning: ignoring return value of ‘system’, declared with attribute warn_unused_result [-Wunused-result]
  153 |  system(p);
      |  ^~~~~~~~~
lsystem.c:178:2: warning: ignoring return value of ‘dup’, declared with attribute warn_unused_result [-Wunused-result]
  178 |  dup(inp);
      |  ^~~~~~~~
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 mark.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 optfunc.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 option.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 opttbl.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 os.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 output.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 pattern.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 position.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 prompt.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 search.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 signal.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 tags.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 ttyin.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 version.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 xbuf.c
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 lesskey_parse.c
gcc  -o less main.o screen.o brac.o ch.o charset.o cmdbuf.o command.o cvt.o decode.o edit.o filename.o forwback.o help.o ifile.o input.o jump.o line.o linenum.o lsystem.o mark.o optfunc.o option.o opttbl.o os.o output.o pattern.o position.o prompt.o search.o signal.o tags.o ttyin.o version.o xbuf.o   lesskey_parse.o -ltinfo
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 lesskey.c
gcc  -o lesskey lesskey.o lesskey_parse.o xbuf.o version.o
gcc -I. -c -DBINDIR=\"/usr/local/bin\" -DSYSDIR=\"/usr/local/etc\"  -g -O2 lessecho.c
gcc  -o lessecho lessecho.o version.o