From owner-freebsd-bugs Wed Dec 12 23:30: 8 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7537B37B419 for ; Wed, 12 Dec 2001 23:30:00 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBD7U0E85154; Wed, 12 Dec 2001 23:30:00 -0800 (PST) (envelope-from gnats) Received: from raven.robbins.dropbear.id.au (163.a.011.mel.iprimus.net.au [210.50.216.163]) by hub.freebsd.org (Postfix) with ESMTP id 036E637B417 for ; Wed, 12 Dec 2001 23:25:26 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id fBD7DiH01449; Thu, 13 Dec 2001 18:13:44 +1100 (EST) (envelope-from tim) Message-Id: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au> Date: Thu, 13 Dec 2001 18:13:44 +1100 (EST) From: "Tim J. Robbins" Reply-To: "Tim J. Robbins" To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 32791 >Category: bin >Synopsis: FreeBSD's man(1) utility vulnerable to old catman attacks >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 12 23:30:00 PST 2001 >Closed-Date: >Last-Modified: >Originator: Tim J. Robbins >Release: FreeBSD 4.4-STABLE i386 >Organization: >Environment: System: FreeBSD raven.robbins.dropbear.id.au 4.4-STABLE FreeBSD 4.4-STABLE #1: Thu Dec 13 10:57:55 EST 2001 tim@raven.robbins.dropbear.id.au:/usr/obj/usr/src/sys/GENERIC i386 >Description: The catman system of the man(1) utility included with FreeBSD is vulnerable to a whole bunch of attacks whereby the catpage's contents can be controlled by an attacker. Discussions of the problem: http://security-archive.merton.ox.ac.uk/security-audit-199908/ ("SGID man", Solar Designer, Sun Aug 01 1999 .. and followups) http://security-archive.merton.ox.ac.uk/security-audit-200010/0022.html (more problems) >How-To-Repeat: There are too many ways to repeat the problem.. here's one: $ ln -s /usr/share/man/cat1 cat1 $ mkdir man1 $ cd man1 $ cat >ls.1 oops! modified ^D $ cd .. $ man -M . ls Formatting page, please wait...Done. oops! modified >Fix: Remove the suid(!) bit from /usr/bin/man. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message