On Tuesday, 26 May 2026 04:42:33 BST G. Branden Robinson wrote: > Hi folks, > > The following came in today (25 May) on the bug-groff list. (I wouldn't > have approved the message, as I feel it's supposed to be a read-only > reflector of the Savannah bug tracker; but one of the other moderators > did, I assume, and that's okay.) > > In any case it's obviously not embargoed or sensitive since it's already > public, and in this new era of AI/LLM-crafted vulnerability reports, the > age of the embargoed vulnerability disclosure is just about over.[1] > > Would anyone care to study this report and assess its validity? > > I have my own preliminary assessment but I want to hear others' views. > > Regards, > Branden
Hi Branden, The report is correct, the proof of concept "works". I'm not sure about the severity though, groff runs at the users priority and the example is run using a font directory belonging to the user, so any commands you put in DESC have the same rights as if you typed them at the shell yourself. As far as polluting a multi-user system you would need root access to /usr/(local)/ share/groff to alter the DESC file, so if you already have root access all bets are off anyway. If you are installing groff other than from the FSF site then you are on your own. It would be an improvement if the value of "printer" was validated in some way if the -l flag is given. Cheers Deri
