Bug 9838
Summary: | man bugs might lead to root compromise (RH 6.1 and other boxes | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | smedina |
Component: | man | Assignee: | Bernhard Rosenkraenzer <bero> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | CC: | bjn |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2000-05-25 15:12:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
smedina
2000-02-28 19:17:12 UTC
Two exploits were also posted to bugtraq today, one specifically for RedHat. We're movin' at Internet speed! One posted suggested disabling man page caching as a solution -- what about making this the default for root? We've verified there are a couple of buffer overruns in man that allow you to get setgid man, and are working on fixing this. Since there are several possible overruns and the whole design of the man program is not made for safety, it's not something that can be done in an hour or two. However, there is NO possible root exploit, since the .pso macro is limited to safe binaries. (try viewing the mkroot.9 man page mentioned in the bug report - it doesn't do anything harmful). The scope of the buffer overrun is that you might be able to get setgid man (we don't have any man-writable pages in /usr/man), and can write to files in /var/catman, to present false information to other users (but not execute programs, because .pso is disabled). This is an annoying, but hardly critical security problem. A quick fix is disabling preformatted man pages (remove FSSTND from /etc/man.config); this is not a good thing because of speed considerations though. If you're paranoid about system security, it's a good workaround until we've come up with a real fix. *** Bug 11037 has been marked as a duplicate of this bug. *** while there were buffer overflows present in man, and these have been corrected for later releases, I cannot make the exploit here work as it is intended under Red Hat Linux 6.1 or 6.2. Also, review of bugtraq seems to indicate that while buffer overflows are present, it is a false alarm to claim they are exploitable. Unless someone can come up with an exploit that works, I'm going to hold off on releasing an errata update. |