DSA-028-1 man-db -- format string vulnerability

Debian Security Advisory

DSA-028-1 man-db -- format string vulnerability

Date Reported:

09 Feb 2001

Affected Packages:

man-db

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2001-0193.

More information:

Styx has reported that the program `man' mistakenly passes malicious strings (i.e. containing format characters) through routines that were not meant to use them as format strings. Since this could cause a segmentation fault and privileges were not dropped it may lead to an exploit for the 'man' user.

We recommend you upgrade your man-db package immediately.

Fixed in:

Debian 2.2 (potato)

Source:

http://security.debian.org/dists/stable/updates/main/source/man-db_2.3.16-1.1.dsc

http://security.debian.org/dists/stable/updates/main/source/man-db_2.3.16-1.1.tar.gz

alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/man-db_2.3.16-1.1_alpha.deb

arm:

http://security.debian.org/dists/stable/updates/main/binary-arm/man-db_2.3.16-1.1_arm.deb

i386:

http://security.debian.org/dists/stable/updates/main/binary-i386/man-db_2.3.16-1.1_i386.deb

m68k:

http://security.debian.org/dists/stable/updates/main/binary-m68k/man-db_2.3.16-1.1_m68k.deb

powerpc:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/man-db_2.3.16-1.1_powerpc.deb

sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/man-db_2.3.16-1.1_sparc.deb