#5166 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: Xi Ruoyao
Priority: normal Milestone: 11.3
Component: Book Version: git
Severity: normal Keywords:


New point version.

Change History (4)

comment:1 by Xi Ruoyao, 10 months ago

Owner: changed from lfs-book to Xi Ruoyao
Status: newassigned

I'll run a jhalfs build with full tests today.

comment:2 by Xi Ruoyao, 10 months ago

man-db 2.11.1 (15 November 2022)



  • SECURITY: Replace $ characters in page names with ? when constructing less prompts.
  • Silence error message when processing an empty manual page hierarchy with a nonexistent cache directory.
  • man(1) now sorts whatis references below real pages, even if the whatis references are from a section with higher priority.


  • Add section 3type to the default section list just after 2. This is used by the Linux man-pages package.
  • Recognize more Hungarian translations of the NAME section.
Last edited 10 months ago by Xi Ruoyao (previous) (diff)

comment:3 by Xi Ruoyao, 10 months ago

From the upstream:

On Mon, Oct 17, 2022 at 10:15:08PM +0200, Jakub Wilk wrote:

"$" is a special character in $LESS, but man-db doesn't take care of neutralizing it. This could be exploited for arbitrary code execution if the user were tricked to run "man -l" on files with names crafted by the attacker.

Thanks, fixed upstream:


(I think this is a niche enough case that I don't plan to put work into getting a CVE allocated, backporting fixes, etc. If somebody else thinks otherwise then they should feel free.)

So I'll not post a SA for this one.

comment:4 by Xi Ruoyao, 10 months ago

Resolution: fixed
Status: assignedclosed

Fixed for trunk at r11.2-198-ge354e5846. Leaving #5162 open for SA.

Note: See TracTickets for help on using tickets.