Re: SuSe / Debian man package format string vulnerability

[Robert Bihlmeyer]

Martin Schulze <[EMAIL PROTECTED]> writes:

> Please tell me what you gain from this.  man does not run setuid root/man
> but only setgid man.

Debian man-db is setuid (not setgid) man[1] in the latest stable and unstable
incarnations.

Getting uid man is not immediate death, but bad enough. Bug 84128 has
been reported (with the trivial patch) a week ago. Please fix it.


Footnotes:
[1]  Unless you've set NOSETGID in /etc/manpath.config ... obvious,
isn't it?

--
Robbe

signature.ng