From my post to the mailing list security-audit: ...I found another more interesting bug in the way the MANSECT environment variable and the -S command line option are parsed. get_section_list() is called on the contents of both of these variables to split the ':'- separated lists into arrays. The array that the split off pieces are put in is defined as: static char *tmp_section_list[100]; The check tries to stop get_section_list() writing past the 100th element is flawed: if (end == NULL || i+1 == sizeof(tmp_section_list)) On my system, sizeof(tmp_section_list) is 400; 100 4-byte pointers. Clearly, the test expression should be something like this: sizeof(tmp_section_list)/sizeof(tmp_section_list[0]) I haven't had much time to play with it, but I know what by supplying more than 100 ':'-separated items, _something_ gets clobbered and strange things happen eg. invoking apropos and whatis when I didn't ask for them. I'm not an exploit writer, so I'm not sure how exploitable the bug is, but it looks like there would be a way if you could make use of the return values of strdup().
Looking into it
Ok, fixed in 1.5h1-14, passing it on to QA.