Date: Tue, 6 Feb 2001 16:29:58 +0100
From: Sebastian Krahmer <krahmer@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: man issue
hi,
the format issue of man seems harmless.
the bug lies inhere
/* XXX */
if (!display (NULL, argv[optind], NULL,
basename(argv[optind]))) {
error (0, errno, argv[optind]);
exit_status = NOT_FOUND;
}
where error() is format-capable. However root privs are dropped before.
So, you could gain a user-shell if you want.
Please dont run man setgid, as man doesnt drop effective group ID.
l8,
Sebastian
