Date: Wed, 31 Jan 2001 14:22:01 -0000 From: Joao Gouveia <tharbad@KAOTIK.ORG> Subject: SuSe / Debian man package format string vulnerability To: BUGTRAQ@SECURITYFOCUS.COM Hi, This issue has been discussed in vuln-dev (2001-01-26), see: http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=158724&fromthread=0&start=2001-01-21&threads=1&list=82 Posted also on suse security list, and aparently overlooked. The man package that ships with SuSe Linux ( at least versions 6.1 throught 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is confirmed to have the same problem. <quote> jroberto@spike:~ > man -l %x%x%x%x man: 4000bc7438049af00: No such file or directory </quote> Regards, Joao Gouveia ------------ tharbad@kaotik.org