Re: [Groff] FW: ISS Security Advisory: GNU Groff utilities read untrusted commands from current working directory

[Solar Designer]

I am forwarding my comments on an earlier version of the ISS advisory,
just so that you get full context.  I was assuming that I'd have to
produce a fix for the groff package I include in a distribution, so
that is why I didn't want to change the code too heavily.

----- Forwarded message from Solar Designer -----

> GNU Groff utilities read untrusted commands from current working
> directory

It really is non-obvious how this should be fixed.  The trivial fix
would be to remove the dots from fontpath and tmacpath, but I expect
this to break things.  I've considered restricting this change to the
safer mode, but (1) there're cases where the safer mode is useful and
the input file is in the current directory (well, they could use the
full path) and (2) safer_flag isn't properly initialized by the time
search_path constructors are called (don't want to be changing too
much of the code in a security patch).  So this doesn't seem like a
good idea.

> By default, the "troff" program reads its "troffrc" initialization file from
> the current working directory.  From a security standpoint, it would be 
> desirable to restrict the searchable path for this file to the invoker's 
> home directory and/or a trusted system path.

Unfortunately, it's not just the "troffrc", "troffrc-end" and other
hard-coded filenames that may be accessed from the current directory.
The macro files themselves reference other files:

.\" Load hyphenation patterns from `hyphen.us' (in the tmac directory).
.do hpf hyphen.us

There appears to be no way to specify that a file should be loaded
from "the tmac directory".  Hard-coding the full path in too many
files (some of which may come from other packages) is inconvenient.

Signed,
Solar Designer