[原文]** DISPUTED ** Format string bug in the open_altfile function in filename.c for GNU less 382, 381, and 358 might allow local users to cause a denial of service or possibly execute arbitrary code via format strings in the LESSOPEN environment variable. NOTE: since less is not setuid or setgid, then this is not a vulnerability unless there are plausible scenarios under which privilege boundaries could be crossed.
Remote / Network Access,
Local / Remote,
Loss of Integrity
The GNU less utility has been reported to contain a remotely exploitable format string condition. According to the report, the LESSOPEN environment in filename.c may allow an attacker to execute arbitrary commands remotely. Further examination revealed this is not the case.
The vulnerability reported is incorrect. No solution required.