Re: SuSe / Debian man package format string vulnerability

[Andreas Ferber]

Hi,

On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:
> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.

No, this is not true:

$ ls -la /usr/lib/man-db/man
-rwsr-xr-x    1 man      root        82848 Apr  4  2000 /usr/lib/man-db/man
$

This is the actual man binary (/usr/bin/man is only a wrapper, did not
examine closer what it does, but it has no setu/gid bit set), after a
plain Debian 2.2 potato install.

Andreas
-- 
After the last of 16 mounting screws has been removed from an access
cover, it will be discovered that the wrong access cover has been removed.

PGP signature