Bugtraq mailing list archives

Re: Troff dangerous.

From: ronny () TMX COM AU (Ronny Cook)
Date: Mon, 26 Jul 1999 12:23:30 +1000

Date:         Sun, 25 Jul 1999 10:18:20 -0400
From: John Robert LoVerso <john () LOVERSO SOUTHBOROUGH MA US>

This isn't a problem with "troff" or any of it's varients.  Instead,
this is an exploit purely with "groff", the GNU reimplementation.  Troff
doesn't have the file stream or ".pso" requests; those are purely part
of groff.

Thus, this affects only systems with groff installed (all Linux and FreeBSD
systems, at least).

John

The original nroff had a ".pi" command (which only worked for nroff, not
troff). It pipes the output of the nroff command to a particular program,
although no command line arguments could be supplied. (This is according to
the "Nroff/Troff User's Manual", section 19: "Input/Output File Switching".)

I agree it's a concern, although having the man pages writable in the
first place is something of a risk if you ask me... I would think that the
principle of least privilege would apply.

                ...Ronny

--
 Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange
 Email: ronny () tmx com au ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551

Current thread:

Re: Troff dangerous., (continued)
- Re: Troff dangerous. Olaf Kirch (Jul 26)
- Re: Troff dangerous. Joel Eriksson (Jul 25)
  - Re: Troff dangerous. Pete (Jul 25)
    - Re: Troff dangerous. Robert Watson (Jul 27)
  - Re: Troff dangerous. Yozo Toda (Jul 25)
  - Re: Troff dangerous. Eric Moore (Jul 25)
    - Re: Troff dangerous. Ville Nummela (Jul 27)
- Re: Troff dangerous. Jason Thorpe (Jul 25)
  - Retrieving RDS Data... Wanderley J. Abreu Jr (Jul 26)
  - Re: Troff dangerous. Bob Beck (Jul 26)
- Re: Troff dangerous. Ronny Cook (Jul 25)
- Re: Troff dangerous. Steven M. Bellovin (Jul 26)
- Re: Troff dangerous. Groovy Pants Gus (Jul 26)