[Man-db-announce] man-db 2.7.6 released

[Colin Watson]

I've released man-db 2.7.6.

Description
===========

man-db contains an implementation of the man command, which is the
primary way of examining the on-line help files (manual pages).  Other
utilities provided include the whatis and apropos commands for searching
the manual page database, the manpath utility for determining the manual
page search path, and the maintenance utilities mandb, catman and
zsoelim.  The package requires a troff installation, such as groff (GNU
troff) to format and display the manual pages.

About this release
==================

Fixes:
------

* Fix build warnings with Perl 5.22.

* Document that 'man -K' searches page source, not rendered text.

* Fix a long-standing bug in man-db's internal cleanup stack mechanism:
  if a cleanup function was pushed unexpectedly between a push/pop pair,
  then popping the stack would remove the wrong cleanup function and
  chaos could ensue.  Avoid this by being more precise about which
  cleanup function should be popped.

* SECURITY: Eliminate dangerous setgid-root directories.  In the default
  configuration, cache files and directories are now owned by man:man
  rather than man:root; man and mandb are now setgid man as well as
  setuid man (except in the --disable-setuid case).  This is a much
  simpler and safer solution to the original problem that caused my
  predecessor to make directories setgid root, and doesn't introduce any
  interesting new privilege since the man group's only real purpose is
  to be the man user's primary group and nothing in cache directories is
  group-writeable.

  Maintainers of distribution packagers should take care to review their
  installation rules in light of this change.

  As far as I know this has no CVE ID, but it is described here:

    http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/

* Fix manual page translation infrastructure to render tables correctly
  with po4a 0.47.

Improvements:
-------------

* man now understands the <page>.<section> form on its command line, so
  for example 'man chmod.2' is now the same as 'man 2 chmod'.
  (Contributed by Mihail Konev.)

* The owner of cache files is now configured separately from whether man
  and mandb are installed setuid, using the --enable-cache-owner[=USER]
  option.

Notes for distributors
======================

The security fix above was quite involved.  If you're trying to backport
it to a stable release, then you should probably consider at least these
commits:

  e62b9edafe00c51e52863718cb2eb1e29385230e Rename some anomalous x* functions
  9ab9f3dd9b0d5f290c635995559332c1710e5b4d man(1): Fix gcc warnings
  0f8b5518949866075c25787bdc4e9c064597c21e Separate cache owner from 
--enable-setuid option
  94b9d1e2a14ce8790d7c73df00d0bbd9e40cd437 Handle cleanup stack more safely
  c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 Make --disable-cache-owner imply 
--disable-setuid
  31552334cecee82809059ec598a37d9ea82683f0 Eliminate dangerous setgid-root 
directories
  755a9551c45da82f99d0ad8e46ef756afbeafb3f Fix distcheck following 
cache-owner/setuid changes
  75701f7fd9a00108abeb851792231b3d9bc2a67d Fix systemd tmpfiles group/perms of 
/var/cache/man

Feel free to contact me if you have difficulty.  You should also
consider
http://www.halfdog.net/Security/2015/MandbSymlinkLocalRootPrivilegeEscalation/,
which could not be fixed without fixing the above bug first; while this
bug was in Debian-specific cron jobs, others may have copied them.

For full details, please see the ChangeLog file in the source
distribution.

  http://savannah.nongnu.org/projects/man-db/
  http://savannah.nongnu.org/download/man-db/man-db-2.7.6.tar.xz
  http://savannah.nongnu.org/download/man-db/man-db-2.7.6.tar.xz.sig

Cheers,

-- 
Colin Watson                                       address@hidden

signature.asc
Description: Digital signature