[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] man bugs



Topic
=====
a) RedHat's man package has a heap overrun.
b) Debian's man-db package allows a symlink attack.

Problem Description
===================
a) A buffer size was calculated incorrectly in man.c. This bug can be exploited
to gain gid man priviledges, which in turn may be used to gain root
priviledges.
b) A bug in man-db can be abused to gain priviledges of the user "man".

Affected Systems
================
a) RedHat 6.x, 7.0 (7.1 is not affected)
b) Debian

Workaround
==========
a) # chmod g-s /usr/bin/man
b) # suidregister /usr/lib/man-db/man root root 0755
   # suidregister /usr/lib/man-db/mandb root root 0755

Solution
========
RedHat 6.x
----------
rpm -Fvh man-1.5i-0.6x.1.i386.rpm mktemp-1.5-2.1.6x.i386.rpm

RedHat 7.0
----------
rpm -Fvh man-1.5i-4.i386.rpm

Debian 2.2 (potato)
-------------------
upgrade to man-db_2.3.16-4_i386.deb