On Sat, Jan 10, 2026 at 05:01:12AM -0600, G. Branden Robinson wrote:
Between glibc malloc's and Debian's hardening flags, this problem
appears to be pre-mitigated, at least as far back as groff 1.22.4-6.
[...]
$ ~/groff-1.23.0/bin/groff -p /tmp/bigger-crasher.groff
*** stack smashing detected ***: terminated
/home/branden/groff-1.23.0/bin/groff: error: pic: Aborted (core dumped)
$ /usr/bin/groff -p /tmp/bigger-crasher.groff
*** stack smashing detected ***: terminated
/usr/bin/groff: pic: Signal 6 (core dumped)
Perhaps these findings put a ceiling on the potential severity of this
bug report.
Given your output I'm inclined to agree. In this case I think it would
be fine to just pick this fix up when you release 1.24.0, and not worry
about backporting it to stable releases?
CCing team@security to double-check. (I haven't included the whole
history; see https://bugs.debian.org/1125162.)
Thanks,
--
Colin Watson (he/him) [[email protected]]
