[18909] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Roman Drahtmueller)
Wed Jan 31 17:49:05 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Message-Id: <Pine.LNX.4.30.0101312039510.830-100000@dent.suse.de>
Date: Wed, 31 Jan 2001 20:43:55 +0100
Reply-To: Roman Drahtmueller <draht@SUSE.DE>
From: Roman Drahtmueller <draht@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <008301c08b91$2df28080$501fb00a@cerc.dgaccp.pt>
Content-Transfer-Encoding: 8bit
>
> Hi,
>
> This issue has been discussed in vuln-dev (2001-01-26), see:
> http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> 4&fromthread=0&start=2001-01-21&threads=1&list=82&
>
> Posted also on suse security list, and aparently overlooked.
Yes, it was overread on suse-security@suse.com, the discussion list.
SuSE's security contact is security@suse.de.
There is no guarantee that all of the interesting postings on
suse-security@suse.com can be read. :-(
> The man package that ships with SuSe Linux ( at least versions 6.1 throught
> 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
> confirmed to have the same problem.
We'll fix it. As soon as we can.
Thanks for the note.
>
> <quote>
> jroberto@spike:~ > man -l %x%x%x%x
> man: 4000bc7438049af00: No such file or directory
> </quote>
>
> Regards,
>
> Joao Gouveia
> ------------
> tharbad@kaotik.org
>
Roman.
--
- -
| Roman Drahtmüller <draht@suse.de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -
