On Sun, 04 Feb 2001 01:48:34 +0100, Robert van der Meulen <[EMAIL PROTECTED]> said: > Just for the record: > on a lot of systems (including Debian), 'man' is not suid/sgid anything, and > this doesn't impose a security problem. Although it may not apply to *this* *particular* issue, let's all not forget that just because something is not suid/sgid it's not a security issue. I'm sure that both 'man' and 'm4' get run a *lot* as root, and have we forgotten the .sy nroff command and trojan manpages? ;) It will be a security problem as soon as somebody finds a way to get root to run 'man -l %n' or 'm4 -G %n'.... ;) Valdis Kletnieks Operating Systems Analyst Virginia Tech
- Re: SuSe / Debian man package format string vulnerab... Tomasz Kuźniar
- m4 format string vulnerability [was: Re: SuSe /... Mike Gerber
- Re: m4 format string vulnerability [was: Re... Ivo van Poorten
- Re: m4 format string vulnerability Jarno Huuskonen
- Re: SuSe / Debian man package format string vulnerab... StyX
- Re: SuSe / Debian man package format string vul... Martin Schulze
- Re: SuSe / Debian man package format string... Jose Nazario
- Re: SuSe / Debian man package format st... Nate Eldredge
- Re: SuSe / Debian man package format string... Robert Bihlmeyer
- Re: SuSe / Debian man package format string vul... Robert van der Meulen
- Re: SuSe / Debian man package format string... Valdis Kletnieks
- Re: SuSe / Debian man package format string... Ethan Benson
- Re: SuSe / Debian man package format string... John
- Re: SuSe / Debian man package format st... Megyer Ur
- Re: SuSe / Debian man package forma... Foldi Tamas
- Re: SuSe / Debian man package format st... Andreas Ferber
- Re: SuSe / Debian man package format st... Graham Hughes
- Re: SuSe / Debian man package format st... Matt Zimmerman
- Re: SuSe / Debian man package format string... Mate Wierdl
- Re: SuSe / Debian man package format string... Roman Drahtmueller
- Re: SuSe / Debian man package format st... Kris Kennaway