Segfault problem with man -k "map "

Nifty Hat Mitch mitch48 at sbcglobal.net
Mon Jan 17 21:47:42 UTC 2005 

On Mon, Jan 10, 2005 at 06:35:53PM +0100, nodata wrote:
> Reply-To: For users of Fedora Core releases <fedora-list at redhat.com>
> On Sat, 2005-01-08 at 09:16 -0500, Neo Anderson wrote:
> > I am running FC3 inside Microsoft Virtual PC 2004/SP1 and my kernel is
> > the latest 2.6.9-1.724_FC3.
> > 
> > A copy of the output after run the command:
> > 
> > [neo at fedora ~]$ man -k "map "
> > sh: /unsafe/: No such file or directory
> > Error executing formatting or display command.
> > System command /unsafe/ exited with status 32512.
> > Segmentation fault
> > 
> > Does this mean anything special to security? It is a bug?

If you expose the man binary to abuse via some SUID/SGID or CGI
situation there is a potential risk when anything dumps core.  In this
case it looks as if the program is generating the error on purpose to
side step security risks.  Thus you are 95% safe.

strace tells me....
    execve("/bin/sh", ["sh", "-c", "/unsafe/"]

In the source I see
   ./man-1.5o1/src/util.c:#define NOT_SAFE "/unsafe/"
   ./man-1.5k/src/util.c:#define NOT_SAFE "unsafe"
   and more that convinces me it is being cautious.

> Bugzilla it. "Nothing should segfault."

True but not all seg faults are security issues.

It can be reduced to a simple case for the bug:

   $ man -k " "
   sh: line 1: /unsafe/: No such file or directory
   Error executing formatting or display command.
   System command /unsafe/ exited with status 32512.
   Segmentation fault (core dumped)

Note that multiple words get looked for by man -k.

   $ man -k bark " "
   bark: nothing appropriate
   sh: line 1: /unsafe/: No such file or directory
   Error executing formatting or display command.
   System command /unsafe/ exited with status 32512.
   Segmentation fault (core dumped)

   $ man -k this that | wc
       565   12133   86468
   $ man -k that | wc
       536   11377   81504

The almost obvious work around if you are scripting man -k stuff
is to use apropos...
   $ apropos "ls " | wc
    169    2584   17998
   $ man -k  "ls " | wc
   sh: line 1: /unsafe/: No such file or directory
   Error executing formatting or display command.
   System command /unsafe/ exited with status 32512.
          0       0       0

The OP is welcome to quote from above in the bug....

SUMMARY... use apropos as a work around.


-- 
	T o m  M i t c h e l l 
	spam unwanted email.
	SPAM, good eats, and a trademark of  Hormel Foods.

More information about the fedora-list mailing list