[19033] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Darren Moffat)
Tue Feb 6 01:01:05 2001
Mime-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-Md5: eBlaJvnWwT/QQbXXvqI0ng==
Message-Id: <200102060416.f164GWR318805@jurassic.eng.sun.com>
Date: Mon, 5 Feb 2001 20:16:32 -0800
Reply-To: Darren Moffat <Darren.Moffat@eng.sun.com>
From: Darren Moffat <Darren.Moffat@ENG.SUN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
>* Darren Moffat <Darren.Moffat@eng.sun.com> [010205 19:24]:
>> Exactly what is it that man MUST do to perform the job of turning nroff
>> man pages into viewable text ?
Given the replies I got that are similar to the one below I should have
been move explicit - I knew this but was trying to hint that it wasn't
part of the functionality of formatting the page.
man doesn't NEED to do this to get the job done this is all just about
caching at the expense of security.
>It is setuid <some user> in order to store pre-formatted manpages
>around, so that future invocations do not have to format the manpage. It
>is intended to allow simple source pages to be shipped (compressed in
>the case of at least Debian) so that PostScript versions can be
>generated, in addition to the simple text-viewable versions -- and still
>allow for frequently-accessed manpages to load as fast as shipping the
>formatted versions of manpages.
>It is interesting to note that OpenBSD does not use the source pages by
>default -- only the processed plaintext 'cat'pages are installed. This
>prevents the need for set(gd)id man applications, and problems such as
>this.
Solaris does the opposite of and ships only the unformatted man pages,
which since Solaris 7 are sgml rather than nroff. If you want to have
access to catman pages rather than wait for them to be formatted each
time then root can run catman.
--
Darren J Moffat
