[19039] in bugtraq
man issue
daemon@ATHENA.MIT.EDU (Sebastian Krahmer)
Tue Feb 6 14:28:09 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0102061627270.393-100000@Galois.suse.de>
Date: Tue, 6 Feb 2001 16:29:58 +0100
Reply-To: Sebastian Krahmer <krahmer@SUSE.DE>
From: Sebastian Krahmer <krahmer@SUSE.DE>
X-To: suse-security@suse.de
To: BUGTRAQ@SECURITYFOCUS.COM
hi,
the format issue of man seems harmless.
the bug lies inhere
/* XXX */
if (!display (NULL, argv[optind], NULL,
basename(argv[optind]))) {
error (0, errno, argv[optind]);
exit_status = NOT_FOUND;
}
where error() is format-capable. However root privs are dropped before.
So, you could gain a user-shell if you want.
Please dont run man setgid, as man doesnt drop effective group ID.
l8,
Sebastian
