[18987] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (StyX)
Sat Feb 3 18:53:52 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3A7C2431.35F9FD10@mailbox.as>
Date: Sat, 3 Feb 2001 16:30:57 +0100
Reply-To: StyX <styx@MAILBOX.AS>
From: StyX <styx@MAILBOX.AS>
To: BUGTRAQ@SECURITYFOCUS.COM
Joao Gouveia wrote:
>
> Hi,
>
> This issue has been discussed in vuln-dev (2001-01-26), see:
> http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> 4&fromthread=0&start=2001-01-21&threads=1&list=82&
>
> Posted also on suse security list, and aparently overlooked.
>
> The man package that ships with SuSe Linux ( at least versions 6.1 throught
> 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
> confirmed to have the same problem.
>
> <quote>
> jroberto@spike:~ > man -l %x%x%x%x
> man: 4000bc7438049af00: No such file or directory
> </quote>
>
> Regards,
>
> Joao Gouveia
> ------------
> tharbad@kaotik.org
Hmm... What about this?
styx@SuxOS-devel:~$ man -l %n%n%n%n
man: Segmentation fault
styx@SuxOS-devel:~$
This was on my Debian 2.2 potato system (It doesn't dump core though).
--
StyX
styx@mailbox.as
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/CS/CC/IT d?>d s:>s++:++ a? C++>C++++$ UL++++
P+>P+++++ L+++>L+++++ E--- W++>$ N++ w--- PS PE Y+
PGP>PGP+++ t+ 5 X+ R+ tv+ b+ D-- G++ e->e+++++ h-->h++ y?
------END GEEK CODE BLOCK------
