CVE-2022-46663: 
NixOS vulnerability analysis and mitigation

GNU Less versions before 609 contain a vulnerability (CVE-2022-46663) that allows crafted data to bypass ANSI escape sequence filtering when using the 'less -R' command. The vulnerability was discovered by David Leadbeater and affects GNU less versions 566 through 608 (Openwall, NVD).

The vulnerability stems from incorrect terminal state machine handling in the escape sequence filtering mechanism. When processing certain ANSI escape sequences, the application fails to properly filter them before sending them to the terminal. This can be demonstrated using specific crafted input sequences such as '\e]8;;\e0m\e[>0q' which triggers unintended terminal responses (Openwall). The issue was introduced in version 566 through commit 0f810ef and was later fixed in version 609 through commit a78e1351 (Debian).

When exploited, this vulnerability can result in a denial of service condition in terminal emulators such as xterm or iTerm 2. The exploit can cause the terminal to enter a loop where it continuously scrolls up and down, effectively disrupting normal operation. Additionally, it can allow manipulation of terminal output and clear terminal content (Gentoo, Openwall).

The vulnerability has been fixed in GNU Less version 609. Users are advised to upgrade to this version or later. Various Linux distributions have also released patched versions, including Fedora 37 with version 633-1.fc37 and Gentoo with version 608-r2 (Fedora, Gentoo).