RedHat 7.0 with man-1.5h1-10 (default package) and earlier


    zenith parsec found following.  Due to a slight error in a  length
    check, the -S  option to man  can cause a  buffer overflow on  the
    heap, allowing redirection of execution into user supplied code.

        man -S `perl -e 'print ":" x 100'`

    Will cause a seg fault if you are vulnerable.

    The info above to get man to seg fault is slightly incorrect.  You
    need to supply some text as the name of a man page - otherwise man
    will reject all input.  The  number of :'s is irrelevat too  - one
    is enough.

        man -S : blah

    will cause a seg fault.

    It is possible to  insert a pointer into  a linked list that  will
    allow overwriting  of any  value in  memory that  is followed by 4
    null characters (a null pointer).  One such memory location is the
    last entry on the GOT (global offset table).  When another item is
    added to the linked list, the address of the data (a filename)  is
    inserted over the last value, effectively redefining the  function
    to the code represented by the filename.

    Putting shellcode  in the  filename allows  execution of arbitrary
    code when the function referred to is called.


    This doesn't work on Slackware 7.1.

    For RedHat:

    This has been confirmed on debian 2.2 woody, and submitted a patch
    to fix it.  The new version is in unstable - ver 2.3.18-2.

    For SuSE:

    For Immunix OS: