CVE-2024-32487: 
NixOS vulnerability analysis and mitigation

CVE-2024-32487 affects the less utility through version 653, allowing OS command execution via a newline character in the name of a file due to mishandled quoting in filename.c. The vulnerability was discovered and disclosed in April 2024. The issue affects the less text file browser utility, which is commonly installed by default on many Unix-like systems (NVD, OSS Security).

The vulnerability stems from less not correctly escaping newlines in pathnames when constructing command line of the input preprocessor. The issue specifically occurs in the filename.c component where quoting is mishandled. Exploitation requires the LESSOPEN environment variable to be set, which is default in many common cases. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with vector AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (NVD, NetApp Advisory).

Successful exploitation of this vulnerability could lead to arbitrary command execution when processing files with crafted names. This could result in disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The impact is particularly significant as less is commonly used as a default pager program in many Unix-like systems (Debian Advisory, NetApp Advisory).

A fix has been released in less version 654 which properly handles newline characters in filenames. Various distributions have backported the fix to their versions, including Debian which released version 487-0.1+deb10u1 for Debian 10 buster. The fix involves proper quoting of shell metacharacters and newline characters in filenames (GitHub Commit, Debian Advisory).