[11130] in bugtraq
Re: Troff dangerous.
daemon@ATHENA.MIT.EDU (Ronny Cook)
Mon Jul 26 20:01:50 1999
Message-Id: <199907260238.MAA02937@iguana.mhs.oz.au>
Date: Mon, 26 Jul 1999 12:23:30 +1000
Reply-To: Ronny Cook <ronny@TMX.COM.AU>
From: Ronny Cook <ronny@TMX.COM.AU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> Date: Sun, 25 Jul 1999 10:18:20 -0400
> From: John Robert LoVerso <john@LOVERSO.SOUTHBOROUGH.MA.US>
>
> This isn't a problem with "troff" or any of it's varients. Instead,
> this is an exploit purely with "groff", the GNU reimplementation. Troff
> doesn't have the file stream or ".pso" requests; those are purely part
> of groff.
>
> Thus, this affects only systems with groff installed (all Linux and FreeBSD
> systems, at least).
>
> John
>
The original nroff had a ".pi" command (which only worked for nroff, not
troff). It pipes the output of the nroff command to a particular program,
although no command line arguments could be supplied. (This is according to
the "Nroff/Troff User's Manual", section 19: "Input/Output File Switching".)
I agree it's a concern, although having the man pages writable in the
first place is something of a risk if you ask me... I would think that the
principle of least privilege would apply.
...Ronny
--
Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange
Email: ronny@tmx.com.au ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551
