From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Description of problem: I am running FC3 inside Microsoft Virtual PC 2004/SP1 and my kernel is the latest 2.6.10-1.737. A copy of the output after run the command: [neo@fedora ~]$ man -k "map " sh: /unsafe/: No such file or directory Error executing formatting or display command. System command /unsafe/ exited with status 32512. Segmentation fault Does this mean anything special to security? It is a bug? Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Start a Shell window. 2. Type man -k "map " (note there is a space after the word map). Actual Results: sh: /unsafe/: No such file or directory Error executing formatting or display command. System command /unsafe/ exited with status 32512. Segmentation fault Expected Results: (Should not have segfault) Additional info:
This is probably harmless because I don't know of many programs that call man -k (but you never know). This was a complete pain in the neck to chase down because man is compiled without -g AND linked with -s so all the debug symbols go out of the window before anyone can get their hands on them... Here's what valgrind had to say: ==5683== Invalid free() / delete / delete[] ==5683== at 0x1B902FB1: free (vg_replace_malloc.c:153) ==5683== by 0x804B1C2: do_apropos (man.c:1225) ==5683== by 0x804B3A6: main (man.c:1332) ==5683== Address 0x804F25B is not stack'd, malloc'd or (recently) free'd The problem appears to be that my_xsprintf notices that spaces are bad as %s parameters and returns the string constant "/unsafe/" as the command to run instead. Unfortunately there is no way to know that you received a string constant back and that the constructed command was not dynamically allocated so a little bit later an attempt is made to free that constant. A band aid solution for the segfault would be the following: --- util.c.orig 2003-09-05 10:48:13.000000000 +0100 +++ util.c 2005-01-11 12:45:39.000000000 +0000 @@ -272,7 +272,7 @@ case 'S': /* check and turn into 's' */ ss = va_arg(p, char *); if (!is_shell_safe(ss, (s[1] == 'Q'))) - return NOT_SAFE; + return my_strdup(NOT_SAFE); len += strlen(ss); s[1] = 's'; break; Giving the user back a meaningful error (illegal characters in keyword) is going to be a trickier problem. On another note I am wondering whether the second parmater should be quoted to allow "map " to work. I don't know whether it opens up another problem but I can't see one at first glance...
Created attachment 109600 [details] segfault band aid
Created attachment 109601 [details] Quote the keyword parameter (allows spaces)
Just got bit by this. (My FC3 is running natively, no Virtual PC.) apropos works instead for now.
Just to give developers more information. I just found out that if you include a white space in the param to -k, it will segfault. man -k " "
Thank you for your notices. This problem was fixed in the latest version of man (man-1.5p-1). If there is still problem with man -k please reopen this bug. Ivana Varekova
I think it is still bugging. Try this: man -k "$<" What I get is: not executing command: /unsafe/
There are forbidden characters in man -k keyword parameter. (<,>,|,..). If you enter some keyword containing these characters, man writes previous error message.