Hi! Aaron Campbell schrieb am Dienstag den 27. Juli 1999, um 0 Uhr 45: > On Mon, 26 Jul 1999, Nic Bellamy wrote: > > > I've also checked OpenBSD 2.5 and FreeBSD 3.2 - the groff on both systems > > defaults to the unsafe behaviour. > > OpenBSD-current has been fixed to pass the -S (safer mode) option to groff > from the nroff.sh script. Please see the following URL: > > http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/groff/nroff/nroff.sh Thanks for this hint. IŽd like to add, that it appears on a SuSE Linux system (only checked SuSE 6.1) /usr/bin/nroff is a shellscript, which calls groff. Additionally if you execute less on a manpage, groff is called via /usr/bin/lesspipe.sh. Both Scripts default to the unsafe behaviour. Thus viewing manpages with less (unless you set the Environment variable LESSSECURE [with 3 'S'!] which actually should be named MORESECURE imho ;-) ) is also dangerous. Imagine *evaluating* manpages that are packed with sources, and mistakenly doing it with less... Oops! Inserting the -S flag into /usr/bin/nroff and /usr/bin/lesspipe.sh calls to groff fixes the Problem. This might help on several other systems. > Since we were on the subject of a fairly *cough* minor *cough* security issue > I thought I'd bring this up. ---Zitatende--- Minor it might be, and old as well. But nevertheless it annoyed my and several other People quite a lot (if i look at this thread.) It annoyed me especially since i am very used to using less instead of more. Regards Friedel -- Friedrich Delgado Friedrichs <friedelat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:01 PDT