[bug #61424] [libgroff] directory traversal in .fp request

bug-groff

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #61424] [libgroff] directory traversal in .fp request

From:	G. Branden Robinson
Subject:	[bug #61424] [libgroff] directory traversal in .fp request
Date:	Tue, 28 Dec 2021 00:50:12 -0500 (EST)
User-agent:	Lynx/2.8.9rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/3.6.7

Follow-up Comment #5, bug #61424 (project groff):

[comment #4 comment #4:]
> The bug has been fixed, but in case someone else tries the example and is as
puzzled as I was:
> 
> [comment #0 original submission:]
> > Output:
> > 
> > 
> > $ nroff EXPERIMENTS/hello-dave.roff
> > EVIL
> > 
> 
> I could not for the life of me get this output from groff 1.22.4 given the
described setup (with paths altered to match my local system).  I was finally
able to replicate it by moving ~/bogusfont into ~/devascii/bogusfont, and
altering the pathname in hello-dave.roff to match.  Even though the full path
is in the .fp request, I still needed a dev* directory above bogusfont, and
its name had to match the current output device.  I'm mildly curious why it
worked for Branden without those constraints.
> 
> (Another curious constraint is that merely specifying a relative path
starting with ../ was insufficient to trigger the bug; the path had to
traverse all the way up to the root directory and back down for .fp to read
the file.)

That is indeed odd, because I still _can_ reproduce the
behavior shown, using the same setup, with Debian's groff 1.22.4
package (1.22.4-5, to be precise).

I can even get it to work using an absolute file name for the
input file from a far-away directory.


$ cd /tmp
$ nroff ~/src/GIT/groff/EXPERIMENTS/hello-dave.roff
EVIL
$ mv ~/bogusfont ~/src/GIT/groff/ATTIC/
$ nroff ~/src/GIT/groff/EXPERIMENTS/hello-dave.roff
WORD


As is shown above, the surprising output goes away if I move
the "bogus font" out of my home directory whence the `fp`
request is trying to load it.

Does this help at all?  One reason I characterize this defect as
"directory traversal" is that the input file causes the
formatter to read a font description file from a place that is
_not_ in the font path.


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61424>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #61424] [libgroff] directory traversal in .fp request, Dave, 2021/12/23
- [bug #61424] [libgroff] directory traversal in .fp request, G. Branden Robinson <=
  - [bug #61424] [libgroff] directory traversal in .fp request, Dave, 2021/12/29

Prev by Date: [bug #61025] [me] want control of line height alteration when super-, subscripting
Next by Date: [bug #61423] [libgroff] allow paths in "name" directive of font description file, restoring historical groff behavior
Previous by thread: [bug #61424] [libgroff] directory traversal in .fp request
Next by thread: [bug #61424] [libgroff] directory traversal in .fp request
Index(es):
- Date
- Thread