Title: Linux Man Page Source Buffer Overflow Vulnerability
Severity: MODERATE
Description:
A buffer overflow vulnerability exists in the implementation of the 'man' system manual pager program commonly included with Linux distributions.
When a manual page file begins with a '.so' statement, the 'man' program uses the filename given with the statement as the source file for that manual page. These statements can be specified recursively over several manual page files; the program loads each sourced file until the 'ultimate' file is found.
A subtle bug exists in the algorithm used to handle these files. If a manual page file is compressed by a program such as gzip, the man program must first expand the file to check the first line for the '.so' statement. To do this, it calls popen() to execute the expansion program, passing the manual page filename as part of the command line.
The only check performed to verify the existence of the file is checking the return value from the popen() call. As a result, it is possible to cause popen() to return a success value by inserting special shell metacharacters followed by valid command names into the filename.
The boundary condition error occurs because the source file algorithm concatenates data from '.so' statements into a fixed-sized buffer for every level of recursion. If a command inserted after shell metacharacters in the filename returns a '.SO' statement of excessive length, the recursive nature of the algorithm could trigger the condition.
As a result, local users can use this vulnerability to execute arbitrary code/commands with group 'man' privileges. This can lead to further system compromise.
Affected Products:
- RedHat Linux 6.1.0
- RedHat Linux 6.2.0
- RedHat Linux 7.0.0
- RedHat Linux 7.1.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
