> G. Branden Robinson <[email protected]> wrote:
>
> […]
> At 2026-05-27T00:29:36+0100, Deri wrote:
>> The report is correct, the proof of concept "works". I'm not sure
>> about the severity though, groff runs at the users priority and the
>> example is run using a font directory belonging to the user, so any
>> commands you put in DESC have the same rights as if you typed them at
>> the shell yourself. […]
>
> Right. There's _no privilege escalation_ here that I can see. Since
> groff is already unprivileged and nowhere calls setuid(2) or setgid(2),
> complaining that someone can run an arbitrary command via a file on the
> file system to which the user already presumptively has write
> permissions (a custom DESC file or, a pre-existing compromise of
> superuser privileges leading to replacement of a _system_ DESC file),
> the report feels kind of like saying, "the shell is a security hole
> because it can run arbitrary commands".
I don’t think a user would be terribly happy with the results of
`rm -rf ~/Documents` or something similar. Running as the user,
who needs privilege escalation?
— Larry
