> G. Branden Robinson <[email protected]> wrote: > > […] > At 2026-05-27T00:29:36+0100, Deri wrote: >> The report is correct, the proof of concept "works". I'm not sure >> about the severity though, groff runs at the users priority and the >> example is run using a font directory belonging to the user, so any >> commands you put in DESC have the same rights as if you typed them at >> the shell yourself. […] > > Right. There's _no privilege escalation_ here that I can see. Since > groff is already unprivileged and nowhere calls setuid(2) or setgid(2), > complaining that someone can run an arbitrary command via a file on the > file system to which the user already presumptively has write > permissions (a custom DESC file or, a pre-existing compromise of > superuser privileges leading to replacement of a _system_ DESC file), > the report feels kind of like saying, "the shell is a security hole > because it can run arbitrary commands". I don’t think a user would be terribly happy with the results of `rm -rf ~/Documents` or something similar. Running as the user, who needs privilege escalation? — Larry
