Re: SuSe / Debian man package format string vulnerability

[Roman Drahtmueller]

> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
> I don't know about Suse/Redhat/others.

SuSE ships the /usr/bin/man command suid man.

After exploiting the man command format string vulnerability, the attacker
can then replace the /usr/bin/man binary with an own program - since the
man command is supposed to be used frequently (especially for administrators),
this imposes a rather high security risk, which deserves some due respect.

We'll provide update packages shortly.

> Greets,
>       Robert

Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <[EMAIL PROTECTED]> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -