On Fri, Mar 06, 2015 at 08:31:39AM +0000, Gavin Smith wrote: > Dear James, > > Thank you for the report. The last version released was 5.2, but there > was a similar issue in the most recent version anyway. I've committed > a change to not use a fixed-length buffer. I don't know why anybody > would be asking for a manpage with 1000's of bytes in its name, but I > guess it is useful to be able to ignore these things when looking for > other flaws.
Also there could be some possible security issues. I ma not really knowledgable on the subject, but my recalling was that segmentation faults could potentially be exploited, so if some users are able to start the info binary with other user rights, and make it segfault, there could be some possibility of privilege escalation. Of course this could only happen in specific and probably implausible cases (starting info through a web server, or an info with setuid bit set...) but who knows. -- Pat
