Reported to Bugtraq by Progeny Service Network in an advisory dated May 10, 2001.
Progeny Debian 1.0
Debian Linux 2.2
man-db is the Debian utility used to display on-line help files.
Affected versions of this utility improperly set write permissions in manual page directories. The settings allow the invoking 'man' user to overwrite the mandb binary itself, potentially replacing it with malicious code.
Since mandb assumes the privilege level of the user running it, the possibility of a user replacing it with a hostile binary prior to its execution by a privileged user (including root) has serious security implications for the vulnerable host.
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.