On Fri, Jun 08, 2018 at 10:54:47AM +0100, Colin Watson wrote: > Control: tag -1 fixed-upstream > > On Thu, Jun 07, 2018 at 04:41:00PM -0700, Josh Triplett wrote: > > man(1) documents: > > > A formatting pipeline is formed from the filters and the primary > > > formatter (nroff or [tg]roff with -t) and executed. Alternatively, if > > > an executable program mandb_nfmt (or mandb_tfmt with -t) exists in the > > > man tree root, it is executed instead. It gets passed the manual > > > source file, the preprocessor string, and optionally the device > > > specified with -T or -E as arguments. > > > > However, careful checking of strace shows that man looks for mandb_nfmt > > in the current directory, not in /usr/share/man. *Fortunately*, if > > found, it then attempts to *execute* "cd /usr/share/man && ./mandb_nfmt > > ...", so this doesn't appear to open a security hole. Still, this does > > seem like a bug. > > Thanks. Indeed it is. I introduced it in 2.8.3 during a refactoring. > Fixed now: > > > https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=1bab0c3a5d9727c12903055a88825ea6d3e2c361
Thanks! > > While investigating this, I also found that something in the man > > pipeline appears to look for a file named "-" in the current directory. > > Try "touch ./-" , then run "man man" under strace -f and look for a stat > > of "-" in the trace. > > This is a bug in less. Can you file it there separately? You can > reproduce it like this: > > echo | strace -otrace less > fgrep '"-"' trace Filed, thank you.
