[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Groff] insecurity
From: |
Bernd Warken |
Subject: |
[Groff] insecurity |
Date: |
Wed, 12 Apr 2000 13:07:56 +0200 |
address@hidden
Buffer overflow in groff
In Linux-Magazin 06/2000, there is an alarming article in the
"Insecurity News" section called "man-Overflow", written by Mark
Vogelsberger.
It lists a perl script to find buffer overflows and an exploit for them.
Moreover, it says that Pawel Wilk has shown that it's possible to write
man-pages that can run arbitrary code under the actual uid, even root.
The article gives a fast work-around: remove sgid from the binaries, but
that does not cure the illness.
The problems are said to arise from the many system() calls using
user-defined values that are easy to be manipulated.
Unfortunately, neither the article nor the scripts seem to be available
on-line. If necessary it should be possible to get both by mailing to
<address@hidden>.
##########################
I think, this is a serious issue to be fixed for 1.16 (tho I do not feel
fit enough for this task). I bet that there are more security holes in
other parts of groff apart from man. Buffer overflows will not be the
only problem; troff once was too mighty a language.
Bernd Warken <address@hidden>
FreeBSD enslaved herself, that HURDs me.
- [Groff] insecurity,
Bernd Warken <=