groff
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Groff] insecurity


From: Bernd Warken
Subject: [Groff] insecurity
Date: Wed, 12 Apr 2000 13:07:56 +0200

address@hidden

Buffer overflow in groff

In Linux-Magazin 06/2000, there is an alarming article in the
"Insecurity News" section called "man-Overflow", written by Mark
Vogelsberger.

It lists a perl script to find buffer overflows and an exploit for them.
Moreover, it says that Pawel Wilk has shown that it's possible to write
man-pages that can run arbitrary code under the actual uid, even root.

The article gives a fast work-around: remove sgid from the binaries, but 
that does not cure the illness.

The problems are said to arise from the many system() calls using
user-defined values that are easy to be manipulated.

Unfortunately, neither the article nor the scripts seem to be available
on-line.  If necessary it should be possible to get both by mailing to
<address@hidden>.

##########################

I think, this is a serious issue to be fixed for 1.16 (tho I do not feel
fit enough for this task).  I bet that there are more security holes in
other parts of groff apart from man.  Buffer overflows will not be the
only problem; troff once was too mighty a language.

Bernd Warken <address@hidden>

FreeBSD enslaved herself, that HURDs me.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]