[19002] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Ethan Benson)
Mon Feb 5 01:32:00 2001
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="+2xxXFcoH1/fp7Az"
Content-Disposition: inline
Message-ID: <20010204210624.W6907@plato.local.lan>
Date: Sun, 4 Feb 2001 21:06:24 -0900
Reply-To: Ethan Benson <erbenson@ALASKA.NET>
From: Ethan Benson <erbenson@ALASKA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010204014834.A1351@lin-gen.com>; from rvdm@CISTRON.NL on Sun,
Feb 04, 2001 at 01:48:34AM +0100
--+2xxXFcoH1/fp7Az
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote:
> Hi,
>=20
> Quoting StyX (styx@MAILBOX.AS):
> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, =
and
> this doesn't impose a security problem.
> I don't know about Suse/Redhat/others.
This is not correct, on debian man is suid man and /var/cache/man
(cached preformatted man pages) is owned by user man. It is suid
rather then setgid so users do not end up owning more files in /var. =20
on debian /usr/bin/man is really a wrapper program which when run as
root does a setuid man before execing /usr/lib/man-db/man. The idea
is to prevent a user man compromise from turning into a root
compromise. (compromise user man, replace man binaries, wait for root
or cron to run man/mandb)
$ ls -l /usr/lib/man-db/man*
-rwsr-xr-x 1 man root 94676 Apr 6 2000 /usr/lib/man-db/man
-rwsr-xr-x 1 man root 74168 Apr 6 2000 /usr/lib/man-db/man=
db
$
--=20
Ethan Benson
http://www.alaska.net/~erbenson/
--+2xxXFcoH1/fp7Az
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjp+QuAACgkQJKx7GixEevx3mQCdHcal/va+li1PnWthNOKQixmb
vR0An0Ut/xWY9t1ad45V9jEzBjNdnZ3M
=r2C7
-----END PGP SIGNATURE-----
--+2xxXFcoH1/fp7Az--
