>Number:         8069
>Category:       security
>Synopsis:       man(1) doesn't take precautions against malicious groff commands
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    security-officer (NetBSD Security Officer)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 25 06:35:00 1999
>Last-Modified:
>Originator:     Matthias Buelow
>Organization:
>Release:        NetBSD 1.4
>Environment:
	
System: NetBSD altair.mayn.de 1.4 NetBSD 1.4 (ALTAIR) #9: Sun May 16 20:38:20 CEST 1999 mkb@altair.mayn.de:/usr/src/sys/arch/i386/compile/ALTAIR i386


>Description:
Groff, the document formatting system used for formatting manual pages,
extends the troff command set with a couple of commands that can be used
to write files on disk.
When running man(1) as root, a maliciously crafted manual page can write
any file on the system with superuser permissions.

>How-To-Repeat:
Create a manual page with the following contents:

.opena stream /tmp/rootcreated
.write stream foobar

and format it.  Look at /tmp/rootcreated.

>Fix:
a) man should be setuid man, like for example on FreeBSD.
b) use the -S option with groff, if possible.
c) do not format manual pages as the superuser.

>Audit-Trail:
>Unformatted: