Package: man-db Version: 2.8.3-2 Severity: normal man(1) documents: > A formatting pipeline is formed from the filters and the primary > formatter (nroff or [tg]roff with -t) and executed. Alternatively, if > an executable program mandb_nfmt (or mandb_tfmt with -t) exists in the > man tree root, it is executed instead. It gets passed the manual > source file, the preprocessor string, and optionally the device > specified with -T or -E as arguments.
However, careful checking of strace shows that man looks for mandb_nfmt in the current directory, not in /usr/share/man. *Fortunately*, if found, it then attempts to *execute* "cd /usr/share/man && ./mandb_nfmt ...", so this doesn't appear to open a security hole. Still, this does seem like a bug. Steps to reproduce: cat > mandb_nfmt <<EOF #!/bin/sh echo foo EOF chmod a+x mandb_nfmt man man man --debug shows: External formatter ./mandb_nfmt ... man: command exited with status 255: (cd /usr/share/man && ./mandb_nfmt /usr/share/man/man7/operator.7.gz t) While investigating this, I also found that something in the man pipeline appears to look for a file named "-" in the current directory. Try "touch ./-" , then run "man man" under strace -f and look for a stat of "-" in the trace. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages man-db depends on: ii bsdmainutils 11.1.2+b1 ii debconf [debconf-2.0] 1.5.66 ii dpkg 1.19.0.5+b1 ii groff-base 1.22.3-10 ii libc6 2.27-3 ii libgdbm5 1.14.1-6+b1 ii libpipeline1 1.5.0-1 ii libseccomp2 2.3.3-2 ii zlib1g 1:1.2.11.dfsg-1 man-db recommends no packages. Versions of packages man-db suggests: pn apparmor <none> ii chromium [www-browser] 67.0.3396.62-1 ii firefox [www-browser] 60.0.1-5 ii groff 1.22.3-10 ii less 487-0.1+b1 -- debconf information excluded
