Deri via discussion of the GNU roff typesetting system and related software <[email protected]> writes:
> On Tuesday, 26 May 2026 04:42:33 BST G. Branden Robinson wrote: >> Hi folks, >> >> The following came in today (25 May) on the bug-groff list. (I wouldn't >> have approved the message, as I feel it's supposed to be a read-only >> reflector of the Savannah bug tracker; but one of the other moderators >> did, I assume, and that's okay.) >> >> In any case it's obviously not embargoed or sensitive since it's already >> public, and in this new era of AI/LLM-crafted vulnerability reports, the >> age of the embargoed vulnerability disclosure is just about over.[1] >> >> Would anyone care to study this report and assess its validity? >> >> I have my own preliminary assessment but I want to hear others' views. >> >> Regards, >> Branden > > Hi Branden, > > The report is correct, the proof of concept "works". I'm not sure about the > severity though, groff runs at the users priority and the example is run > using > a font directory belonging to the user, so any commands you put in DESC have > the same rights as if you typed them at the shell yourself. As far as > polluting a multi-user system you would need root access to /usr/(local)/ > share/groff to alter the DESC file, so if you already have root access all > bets are off anyway. If you are installing groff other than from the FSF site > then you are on your own. > > It would be an improvement if the value of "printer" was validated in some > way > if the -l flag is given. It is pretty low severity, if even a security issue. One should expect 'groff' to execute arbitrary commands based on the DESC file, as it is documented to do so [1]. I suggest not trying to validate the directives, which is bound to be a headache and just using posix_spawn or fork + exec. If that is possible. Collin [1] https://www.gnu.org/software/groff/manual/groff.html.node/DESC-File-Format.html
