[11145] in bugtraq
Re: Troff dangerous.
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Jul 27 15:15:41 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990726192844.9FCEF41F16@SIGABA.research.att.com>
Date: Mon, 26 Jul 1999 15:28:39 -0400
Reply-To: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
From: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
X-To: John Robert LoVerso <john@loverso.southborough.ma.us>
To: BUGTRAQ@SECURITYFOCUS.COM
In message <199907251418.KAA05569@loverso.southborough.ma.us>, John Robert LoVe
rso writes:
> This isn't a problem with "troff" or any of it's varients. Instead,
> this is an exploit purely with "groff", the GNU reimplementation. Troff
> doesn't have the file stream or ".pso" requests; those are purely part
> of groff.
>
> Thus, this affects only systems with groff installed (all Linux and FreeBSD
> systems, at least).
>
> John
>
Umm, not quite. My 1976 (no, that's not a typo) nroff/troff manual has
.pi -- pipe output to program; .sy is also ancient, and probably there since
at least since 1977. My 1981 addendum also lists .! as another way to do
shell escapes.
