From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010701 Description of problem: pic can be forced to execute commands (sh X..X) when running in safe mode (-S). Can be exploited trough lpd (groff/pic is run in printfilters) and arbitrary commands with id of lpd can be run. pic command 'plot -1.99892428527521803794 "%n"' will overwrite memory where safe mode variable is stored and then it alows to use "sh" command. How reproducible: Always Steps to Reproduce: 1. pic -S 2. .PS 3. plot -1.99892428527521803794 "%n" 4. sh XidX 5. .PE Actual Results: uid=501(bendik) gid=501(bendik) .... Expected Results: pic:<standard input>:2: unsafe to run command `id' Additional info: Bug has been discovered by Zenith Parsec <zen-parse>. Exploit with patch has been posted to bugtraq (see URL). I tested groff 1.16 and 1.16.1, both are vulnerable.
When you want to fix this???? --rado b
is fixed with current rpms: groff-1.17.2-1 Thanks, Florian La Roche