Re: [Groff] FW: ISS Security Advisory: GNU Groff utilities read untrusted com mands from current working directory

[Werner LEMBERG]

[Jörg sent this security alert to the groff list]

> I pass this from Bugtraq for your information

Thanks a lot!  There are really serious problems...

> By default, the "troff" program reads its "troffrc" initialization
> file from the current working directory.  From a security
> standpoint, it would be desirable to restrict the searchable path
> for this file to the invoker's home directory and/or a trusted
> system.  Unfortunately, this could present problems for programs
> that depend on the current behavior.

My suggestion is to restrict the location of troffrc and troffrc-end
to `~' and groff's default tmac directory
(e.g. /usr/local/share/groff/tmac) if the -U flag isn't given.
Additionally, I'll implement tmac.safer internally, i.e., without the
-U flag these requests will produce error messages.  tmac.safer will
then no longer exist.

> The "groff" program, a front-end for troff, has a similar problem.
> It looks for the appropriate device description file (as given by
> the -T parameter, or "ps" by default) using devname/DESC in the
> current working directory.

Ditto.  The current directory is only allowed if the -U option is
given.

> The device description file may contain an optional "postpro"
> directive, which defines a command to be run after normal
> processing.  A malicious user could place a trojan device
> description file in a world-writable directory (i.e. /tmp), after
> which any invocations of groff from that directory are unsafe.

I imagine that the restriction to `trusted' directories (without the
-U flag) closes this security hole.  Please correct me if I'm wrong.

> Internet Security Systems has not received a response from the
> current GNU Groff maintainer.  In the interest of accelerating the
> elimination of these vulnerabilities, this advisory is being
> disseminated to the open source community for public discussion.

At least I haven't received anything from ISS -- to which address have
you sent a mail?  The correct address for bug reports to groff is
address@hidden'.

> Internet Security Systems recognizes that reading from the current
> directory is traditional groff/troff behavior, and that in many
> document-creating scenarios it is actually a useful `feature'.  One
> possibility could be to not trust the current directory at all by
> default, perhaps requiring a special command line option to revert
> to the old behavior.  At any rate, the fix is not obvious, as per
> Solar Designer's analysis.

I believe that the suggestions given above solve the problem.  Please
comment.


    Werner