In article <20010513200734.9834.qmailat_private>, zenith_parsec@the-astronaut.com wrote: >======================================================== >Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default >package) and earlier. >========================================================= >Heap Based Overflow of man via -S option gives GID man. > >Due to a slight error in a length check, the -S option to >man can cause a buffer overflow on the heap, allowing redirection of >execution into user supplied code. > >man -S `perl -e 'print ":" x 100'` > >Will cause a seg fault if you are vulnerable. With the name of a man page as an additional argument, the version of man-db shipped with Debian GNU/Linux also segfaults here. I just uploaded version 2.3.18-2 to Debian unstable which fixes this. However, I believe that the code bases are different enough that a segfault is as bad as it gets in man-db (the functions in question are entirely different, and just happen to have the same failure case). Feel free to prove me wrong. Cheers, -- Colin Watson [cjw44at_private]
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 04:18:38 PDT