On Sun, 25 Jul 1999 10:18:20 EDT, John Robert LoVerso wrote: > This isn't a problem with "troff" or any of it's varients. Instead, > this is an exploit purely with "groff", the GNU reimplementation. Troff > doesn't have the file stream or ".pso" requests; those are purely part > of groff. No, at least .sy and .pi are part of the original troff command set. Look for the original troff documentation in the att cstr series. As far as man viewers are concerned, these problems have been discovered and fixed several times. On Linux, Andries Brouwer's man is safe; it drops privileges whenever it invokes external commands (note that this includes gzip and less besides groff). The man_db shipped by some vendors isn't. I've repeately tried to contact the original author, to no avail. Potential problems like this are also the primary reason why /usr/man and friends should never be owned by man.man; once you've subverted user or group man you may be able to plant trojan manpages in them. Finally, note that apart from the various troff/groff commands, you can request that certain preprocessors like tbl be run. Some of them also have special commands that make them run shell code. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:39 PDT