forgot to make a patch for the original posting of the exploit.  the patch 

will keep the functionality, while eliminating exploitation possibilities.



original exploit ref:

 http://www.securityfocus.com/archive/1/323821/2003-05-28/2003-06-03/0



bash# tar -zxvf man.src.tgz

bash# patch -p0 <man.fmtbug.patch





--- man.fmtbug.patch --



diff -urP man-1.5l/src/gripes.c man-1.5l/src/gripes.c

--- man-1.5l/src/gripes.c Wed Jul 17 20:17:23 2002

+++ man-1.5l/src/gripes.c Fri Jun  6 14:51:21 2003

@@ -28,0 +28,1 @@

+#include <string.h>

@@ -68,0 +68,2 @@

+    unsigned int i = 0;

+    unsigned short fmt_n = 0;

@@ -78,0 +78,13 @@

+    /* routine to filter format string abuse.  will */

+    /* only allow %d, %s, and %o through.  no more  */

+    /* than two formats needed for any response.    */

+    for (i = 0; s[i] != 0x0; i++){

+        if (s[i] == '%' && s[i+1]){

+            if (strchr("dso", s[i+1])) /* %d,%s,%o. */

+                fmt_n++;

+            else

+                fmt_n=3; /* anything else = <limit. */

+        }

+        if (fmt_n > 2) /* failed, default reply. */

+            s = msg[n];

+    }

diff -urP man-1.5l/src/version.h man-1.5l/src/version.h

--- man-1.5l/src/version.h Fri Jun  6 14:36:40 2003

+++ man-1.5l/src/version.h Fri Jun  6 14:51:21 2003

@@ -1,1 +1,1 @@

-static char version[] = "1.5l";

+static char version[] = "1.5l-fmtfix";