From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021111 Phoenix/0.4 NB Marked as a security bug since theres a potential for a core dropper like this to do something nasty. You may wish to change that evaluation after giving it some thought. Description of problem: When invoked on a man source file, a core file is dropped although no other sign of the command failing is seen. % file core.* core.9629: ELF 32-bit LSB core file of 'man' (signal 11), Intel 80386, version 1 (SYSV), from 'man' % gdb /usr/bin/man core.9686 GNU gdb Red Hat Linux (5.2-2) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... Core was generated by `man -- ./syslog-ng.conf.5'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x400e5e48 in _getopt_internal () from /lib/libc.so.6 (gdb) bt #0 0x400e5e48 in _getopt_internal () from /lib/libc.so.6 #1 0x400e6286 in getopt_long () from /lib/libc.so.6 #2 0x0804d092 in strcpy () #3 0x0804d178 in strcpy () #4 0x0804d1e2 in strcpy () #5 0x0804b512 in strcpy () #6 0x400361c4 in __libc_start_main () from /lib/libc.so.6 Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: > mkdir /tmp/test > cd /tmp/test > cp /usr/share/man/man5/syslog.conf.5.gz . > gunzip syslog.conf.5.gz > less syslog.conf.5 > ls -l total 288 -rw------- 1 nigel nigel 319488 Nov 14 13:43 core.9790 -rw-r--r-- 1 nigel nigel 11868 Nov 14 13:42 syslog.conf.5 Actual Results: core left in current directory Additional info: Marked as a security bug since theres a potential for a core dropper like this to do something nasty. You may wish to change that evaluation after giving it some thought. This is on a pretty standard RH7.3 machine, up to date at this point (14 Nov 2002). Home built SMP 2.4.19 kernel. strace fails to see the exec-ed man process - nothing seen after the vfork() in less. Locale settings I guess could be relevant:- > locale LANG=en_GB.iso885915 LC_CTYPE="en_GB.iso885915" LC_NUMERIC="en_GB.iso885915" LC_TIME="en_GB.iso885915" LC_COLLATE="en_GB.iso885915" LC_MONETARY="en_GB.iso885915" LC_MESSAGES="en_GB.iso885915" LC_PAPER="en_GB.iso885915" LC_NAME="en_GB.iso885915" LC_ADDRESS="en_GB.iso885915" LC_TELEPHONE="en_GB.iso885915" LC_MEASUREMENT="en_GB.iso885915" LC_IDENTIFICATION="en_GB.iso885915" LC_ALL= Environment (some variables stripped as they have information on internal network):- > printenv USER=nigel LOGNAME=nigel HOME=/home/nigel PATH=/home/nigel/bin:/home/nigel/bin/_ccache:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games:/usr/bin:/usr/X11R6/bin MAIL=/var/mail/nigel SHELL=/bin/tcsh TERM=xterm DISPLAY=localhost:11.0 HOSTTYPE=i386-linux VENDOR=intel OSTYPE=linux MACHTYPE=i386 SHLVL=1 PWD=/tmp/test GROUP=nigel LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35: LANG=en_GB.iso885915 SUPPORTED=en_GB.iso885915:en_GB:en:en_US.iso885915:en_US:en LESSOPEN=|/usr/bin/lesspipe.sh %s MANPATH=/usr/share/man:/usr/X11R6/man:/usr/man:/usr/kerberos/man CVS_RSH=ssh RSYNC_RSH=ssh Friend elsewhere can also reproduce this. Cannot reproduce on RHL 8.0
Less version is 358-24
strange. I've tested this with less-358-24 on 7.3 and with less-358-21 without getting a coredump. Did you change anything in the lesspipe ? (/usr/bin/lesspipe.sh)
lesspipe is as originally packaged. Its a man bug. For whatever reason less is calling man as (following example in earlier entry) man -- ./syslog.conf.5 This command drops core. In fact man -- drops core - SEGV:- Program received signal SIGSEGV, Segmentation fault. 0x400e5e48 in _getopt_internal () from /lib/libc.so.6 (gdb) bt #0 0x400e5e48 in _getopt_internal () from /lib/libc.so.6 #1 0x400e6286 in getopt_long () from /lib/libc.so.6 #2 0x0804dc86 in get_options_from_argvec (argc=1, argv=0x8089ca8, config_file=0x0, manpath=0x0) at man-getopt.c:66 #3 0x0804e0eb in get_options_from_string (s=0x8050937 "") at man-getopt.c:210 #4 0x0804e162 in man_getopt (argc=3, argv=0xbffff9a4) at man-getopt.c:232 #5 0x0804be13 in main (argc=3, argv=0xbffff9a4) at man.c:1240 #6 0x400361c4 in __libc_start_main () from /lib/libc.so.6 So the bug is in man It appears to show up in less for EU folks, although this does not seem to be directly tied to the locale settings (ie if I set my locale stuff to C using environment variables I still see the problem). The man core drop on -- is seen by everyone I've got to try it - US or EU. Modded component and summary of bug report appropriately.
I should have thought of that. I've fixed exactly this bug in man-1.5j-11 See bug #73212 for more info.