[11176] in bugtraq
Re: Troff dangerous.
daemon@ATHENA.MIT.EDU (Friedrich Delgado Friedrichs)
Thu Jul 29 01:08:49 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <19990728110138.B480@moppel.burse.uni-hamburg.de>
Date: Wed, 28 Jul 1999 11:01:38 +0200
Reply-To: Friedrich Delgado Friedrichs <friedel@www.BURSE.UNI-HAMBURG.DE>
From: Friedrich Delgado Friedrichs <friedel@www.BURSE.UNI-HAMBURG.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.3.96.990727000537.22867A-100000@ug>; from Aaron
Campbell on Tue, Jul 27, 1999 at 12:45:30AM -0300
Hi!
Aaron Campbell schrieb am Dienstag den 27. Juli 1999, um 0 Uhr 45:
> On Mon, 26 Jul 1999, Nic Bellamy wrote:
>
> > I've also checked OpenBSD 2.5 and FreeBSD 3.2 - the groff on both systems
> > defaults to the unsafe behaviour.
>
> OpenBSD-current has been fixed to pass the -S (safer mode) option to groff
> from the nroff.sh script. Please see the following URL:
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/groff/nroff/nroff.sh
Thanks for this hint. I4d like to add, that it appears on a SuSE Linux system
(only checked SuSE 6.1) /usr/bin/nroff is a shellscript, which calls groff.
Additionally if you execute less on a manpage, groff is called via
/usr/bin/lesspipe.sh.
Both Scripts default to the unsafe behaviour. Thus viewing manpages with less
(unless you set the Environment variable LESSSECURE [with 3 'S'!] which
actually should be named MORESECURE imho ;-) ) is also dangerous.
Imagine *evaluating* manpages that are packed with sources, and mistakenly doing
it with less... Oops!
Inserting the -S flag into /usr/bin/nroff and /usr/bin/lesspipe.sh calls to
groff fixes the Problem.
This might help on several other systems.
> Since we were on the subject of a fairly *cough* minor *cough* security issue
> I thought I'd bring this up.
---Zitatende---
Minor it might be, and old as well. But nevertheless it annoyed my and several other
People quite a lot (if i look at this thread.) It annoyed me especially since i am
very used to using less instead of more.
Regards
Friedel
--
Friedrich Delgado Friedrichs <friedel@nomaden.org>
