Description of Problem:
man 1.5h1-10 (version released with rh7.0) has a heap based overflow
in man.c, get_section_list() function. The check
if (end == NULL || i + 1 == sizeof (tmp_section_list))
if (end == NULL || i + 1 == (sizeof (tmp_section_list) /
There exists an exploit for gid man.
Make a section list with over 100 elements in it.
Steps to Reproduce:
1. man -S `perl -e 'print ":" x 101'` ls
No manual entry for ls
A root exploit from gid man also exists.
Quick fix: Update to the versions from 7.1 or rawhide (preferred).
I'll take care of errataing this now.
The errata package just passed QA - closing this bug.
By the way, I could not find any information about a root exploit from gid man
anywhere on the net.
If this is indeed true, please open a new bug report with information on this.