Re: strange man behavior

From: Rob Pickering (rob@rpaconsult.co.uk)
Date: 08/13/02 

Date: Tue, 13 Aug 2002 12:51:47 +0100
From: Rob Pickering <rob@rpaconsult.co.uk>
To: vuln-dev@securityfocus.com

There is no defect here, much less an exploitable one. Man is exiting
with a non-zero status when asked to format an infinite string of
random characters. It is correctly catching the data error.

Even if it did have a defect, of which I don't doubt there are
thousands in an average *NIX, it would only be of significance from a
vulnerability point of view if it were setuid binary, a daemon
accessible over the network to non-authenticated users, or you can
conceivably cause a process running under something other than your
own UID to trip over it.

Otherwise these are of no more significant than writing a program
like:

main(){f();}
int f(){char buf[4]; gets(buf);}

compiling and running it yourself. 

--
    Rob.

--On 12 August 2002 12:34 -0400 Ron Sweeney <sween@modelm.org> wrote:

>
> sween@attaway:~$ man -V
> man, version 2.3.20, 07 September 2001
> sween@attaway:~$ uname -a
> Linux attaway 2.2.20 #1 Sat Apr 20 11:45:28 EST 2002 i586 unknown
>
> sween@attaway:~$ man /dev/random
> Reformatting random, please wait...
>
> man: command exited with status 2: /usr/bin/zsoelim /dev/random |
> /usr/bin/tbl | /usr/bin/nroff -mandoc -Tlatin1 | exec
> /usr/bin/pager -s
>
> more weirdness with other binaries, /bin/sh and /dev/urandom...
>
> not sure what to think of this yet...exploitable?
>
> this condition does ! exist on FreeBSD, HPUX or Solaris.
>
> *shrug*
>
> your thoughts?
>
>
>  ---  -sween
>| M | http://www.modelm.org
>  ---  "TYPE HARD OR GO HOME." | US Patent, US4118611
>
>
>

--
  Rob Pickering.
                    +44 (0) 7970 939456