[bug #55557] gropdf can execute arbitrary commands

Follow-up Comment #2, bug #7 (project groff): I think all the approaches involving careful @ARGV mangling are far too delicate and it's too hard to be certain that they're correct. My preference would be to avoid <> entirely and use three-argument open, as in the attached patch.

[bug #55557] gropdf can execute arbitrary commands

Additional Item Attachment, bug #7 (project groff): File name: 0001-Avoid-Perl-s-unsafe-operator.patch Size:20 KB ___ Reply to this item at: ___ M

Re: [bug #64301] [troff] susceptible to integer overflow

the gnulib git submodule I would recommend running: > > > > $ ./bootstrap --bootstrap-sync > > Ah, thank you. I noticed Colin Watson had recently achieved that update > for man-db and was going to ask him how to do it. I must confess that I'd generally just been cop

[oneing...@gmail.com: Bug#450434: small typo in (groff) Character Translations]

Hi, While this bug was reported against groff 1.18.1.1, I've confirmed that the typo is still present in groff CVS HEAD. Thanks, -- Colin Watson [cjwat...@debian.org] --- Begin Message --- Package: groff Version: 1.18.1.1-12 Severity: minor

[justinpry...@users.sourceforge.net: Bug#369254: groff: groff_man s/become usage/become common/]

to make the first line of the .I \%man\~page look like this: . Thanks, -- Colin Watson [cjwat...@debian.org] --- Begin Message --- Package: groff Version: 1.18.1.1-12 Severity: minor Tags: upstream patch --- - 2006-05-28 12:16:41.104563000 -0400 +++ /tm

[sand...@crustytoothpaste.ath.cx: Bug#538330: groff: pdfroff uses (and documents!) insecure temporary files]

See attached report; this is indeed a standard anti-pattern resulting in security vulnerabilities. In Debian I'd be rather tempted to use 'mktemp -d' to fix this. What do you think? -- Colin Watson [cjwat...@debian.org] --- Begin Message ---

[sand...@crustytoothpaste.ath.cx: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)]

groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to do so here? Thanks, -- Colin Watson [cjwat...@debian.org] --- Begin Message --- Package: groff Version: 1.20.1-4 Severity: grave File: /usr/bin/pdfroff Tags: security pdfroff invokes

Re: Bug#540477: man: groff_char: Incorrect unicode codes for white heart and diamond suits

t" > -.C2 u2662 uni2662 u2662 "white heart suit" > +.C2 u2661 uni2661 u2661 "white heart suit" > .C2 DI diamond u2666 "black diamond suit" > -.2e u2661 uni2661 u2661 "white diamond suit" > +.2e u2662 uni2662 u2662 "white

Re: [sand...@crustytoothpaste.ath.cx: Bug#538330: groff: pdfroff uses (and documents!) insecure temporary files]

On Sat, Jul 25, 2009 at 09:30:18AM +0100, Colin Watson wrote: > See attached report; this is indeed a standard anti-pattern resulting in > security vulnerabilities. In Debian I'd be rather tempted to use 'mktemp > -d' to fix this. What do you think? Nico Golde points

Re: [sand...@crustytoothpaste.ath.cx: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)]

On Sat, Jul 25, 2009 at 09:32:38AM +0100, Colin Watson wrote: > groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to > do so here? I'm applying this patch to the Debian package. Please consider it? === modified file 'contrib/pdfmark/pdfroff.sh' --- contr

Re: [sand...@crustytoothpaste.ath.cx: Bug#538338: groff: pdfroff invokes gs insecurely (without -dSAFER)]

On Sat, Aug 15, 2009 at 08:59:08AM +0100, Colin Watson wrote: > On Sat, Jul 25, 2009 at 09:32:38AM +0100, Colin Watson wrote: > > groff uses -dSAFER elsewhere (pre-html.cpp); is there any reason not to > > do so here? > > I'm applying this patch to the Debian package. P

[PATCH] Unnecessary bash-specific function declarations in gdiffmk

#x27;]]' -function RequiresArgument { +RequiresArgument () { # Process flags that take either concatenated or # separated values. case "$1" in Thanks, -- Colin Watson [cjwat...@debian.org] ___ bug-groff mailing list bug-groff@gnu.org http://lists.gnu.org/mailman/listinfo/bug-groff

Re: Bug#337787: .MTO produces email addresses with stray whitespace

bad to just use ASCII <> for everything; they don't seem particularly less typographically sound than the Unicode MATHEMATICAL LEFT ANGLE BRACKET and MATHEMATICAL RIGHT ANGLE BRACKET characters we're using right now. (I know that this can be changed with .LINKSTYLE, but it

[PATCH] Use POSIX-compliant 'trap' arguments

28 + +++ contrib/pic2graph/pic2graph.sh 2010-02-20 02:57:25 + @@ -86,7 +86,7 @@ if test -z "$tmp"; then { (exit 1); exit 1; } fi -trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0 2 15 +trap 'ex

Re: lintian says "Unknown FreeBSD"

ntian.debian.org using an out-of-date groff, but I did what I could to resolve things. Thanks, -- Colin Watson [cjwat...@debian.org] ___ bug-groff mailing list bug-groff@gnu.org http://lists.gnu.org/mailman/listinfo/bug-groff

Re: lintian says "Unknown FreeBSD"

On Mon, Feb 22, 2010 at 10:00:01AM +, Colin Watson wrote: > Well, I didn't personally, as upstream had already handled it, but yes. > Werner, could you apply this patch? FreeBSD 7.3 hasn't been released > yet, but -RC1 is out. I noticed also that we needed to add an e

Re: Bug#579890: grotty: infinite loop when processing a man page

following patch would turn this into a fatal error instead, which isn't ideal either but is certainly better than an infinite loop. However, I don't know this code very well and would appreciate review. 2010-05-04 Colin Watson * src/libs/libdriver/input.

Re: Bug#579890: [pkg-wine-party] Bug#579890: grotty: infinite loop when processing a man page

clone 579890 -1 reassign -1 libwine-dev-unstable retitle -1 libwine-dev-unstable: need to escape literal backslashes in manual pages thanks On Sat, May 15, 2010 at 01:11:02PM +0200, Ove Kaaven wrote: > Colin Watson skrev: > > Thanks. Here's a reduced test case (run with 'g

doubled backspaces for bold/underline with CJK in no-SGR mode

ng to the number of characters. Does this make sense, or am I missing something? Thanks, -- Colin Watson [cjwat...@debian.org] ___ bug-groff mailing list bug-groff@gnu.org http://lists.gnu.org/mailman/listinfo/bug-groff

typo in Makefile.comm

INCLUDES) $(CDEFINES) $(CFLAGS) $(CPPFLAGS) Thanks, -- Colin Watson [cjwat...@debian.org] ___ bug-groff mailing list bug-groff@gnu.org http://lists.gnu.org/mailman/listinfo/bug-groff

Re: doubled backspaces for bold/underline with CJK in no-SGR mode

On Sun, Jan 09, 2011 at 03:34:02PM +0100, Werner LEMBERG wrote: > Colin Watson wrote: > > Given that backspacing over half a character is never a particularly > > sensible thing for a pager to do, I would suggest that we should > > assume that pagers will backspace over a ch

Re: doubled backspaces for bold/underline with CJK in no-SGR mode

; still somewhere in use. Did James really code that? 'bzr blame' shows this as having been added by you: http://bazaar.launchpad.net/~vcs-imports/groff/main/revision/1147 Cheers, -- Colin Watson [cjwat...@debian.org]

Re: [Bug 738169] [NEW] .RD macro contains .ie without .el, breaking caller's code

ch.txt.) Thanks for your report. I can reproduce it with groff 1.21, and the same problem appears to be present in CVS HEAD, so forwarding upstream. -- Colin Watson [cjwat...@debian.org] ___ bug-groff mailin

Re: Bug#629159: groff: Add support for various BSD versions

BSD. Thanks. I'll apply this in Debian, but forwarding upstream as well (reattaching your attachment for their convenience) so that it can be in the next upstream release. FreeBSD 8.2 support had already been added upstream, but the rest had not. Regards,

Re: Bug#629159: groff: Add support for various BSD versions

On Mon, Jun 06, 2011 at 11:41:54AM +0100, Colin Watson wrote: > On Sat, Jun 04, 2011 at 05:54:06AM +0200, Guillem Jover wrote: > > The attached patch adds support for various BSD versions. At least the > > FreeBSD ones will allow lintian to not warn on unknown 8.2 version > >

[PATCH] groff.texinfo fails to build with Texinfo 5.1

With Texinfo 5.1, groff.texinfo fails to build as follows: groff.texinfo:11937: macro `Defesc' called with too many args This looks like a legitimate error that makeinfo just didn't spot before. Here's a patch. 2013-07-02 Colin Watson * doc/groff.texinfo: Fix

Re: [PATCH] groff.texinfo fails to build with Texinfo 5.1

{\delimII\} > @esindex \name\ > @c > @end macro > > There *are* four arguments. So this is either a bug in texinfo 5.1, > or there are other, yet unresolved macro issues. But {\\z, , g, , } contains five arguments ("\\z", blank, "g", blank

grolbp crashes on empty input

The Mayhem team at CMU found that grolbp crashes when given input that never creates a printer, for example 'grolbp /dev/null'. This obviously won't happen in normal use via groff, but it's still inelegant and should be fixed. 2013-07-02 Colin Watson * src/de

[bug #44941] Add a `zh.tmac' file for improved Chinese typesetting

Follow-up Comment #9, bug #44941 (project groff): man-db actually extracts just the language from the path, so it loads zh.tmac rather than zh_CN.tmac. I consider this mostly as a useful backstop. It's still a good idea for individual pages to load the appropriate macros themselves; but loading

[bug #44941] Add a `zh.tmac' file for improved Chinese typesetting

Follow-up Comment #10, bug #44941 (project groff): Ah, the previous comment expresses my intent, but there was a bug. Fixed in git: http://git.savannah.gnu.org/cgit/man-db.git/commit/?id=d450d4c2d3c09a629ef95d02d250a6cb290764ca ___ Repl

[bug #66758] [mm] commit 88cd50aa causes troff fatal error when using present.tmac

Additional Item Attachment, bug #66758 (group groff): File name: 0001-mm-Fix-typo-in-conditional.patch Size: 725B AGPL NOTICE These attachments are served by Savane. You can download the corresponding

[bug #66758] [mm] commit 88cd50aa causes troff fatal error when using present.tmac

Follow-up Comment #3, bug #66758 (group groff): I attached a suggested patch. Feel free to adjust the commit message per local style. ___ Reply to this item at: __

[bug #66597] Allow environment-variable-based overriding of default paper size?

Follow-up Comment #2, bug #66597 (group groff): For the record, I submitted this bug report. Sorry, I didn't notice that I wasn't logged in at the time. ___ Reply to this item at: ___

[bug #67169] [man] URLs specified with `UR` "simply dropped" with `-Tpdf` on Ubuntu 24.04

Follow-up Comment #9, bug #67169 (group groff): I think the problem here is that https://salsa.debian.org/debian/groff/-/blob/master/debian/patches/man-hyperlinks.patch enables the `U` register, but I hadn't realized that that's broken in 1.23.0 for PDF output (https://savannah.gnu.org/bugs/?64572

[bug #67169] [man] URLs specified with `UR` "simply dropped" with `-Tpdf` on Ubuntu 24.04

Follow-up Comment #10, bug #67169 (group groff): Actually, it can't just be that patch, because an.tmac in 1.23.0 also has: .if !r U \ . nr U 1 So would I be better off just cherry-picking https://cgit.git.savannah.gnu.org/cgit/groff.git/commit/?id=d9e90209725a716dff23807da403c58020c9 ? Th

[bug #67169] [man] URLs specified with `UR` "simply dropped" with `-Tpdf` on Ubuntu 24.04

Follow-up Comment #11, bug #67169 (group groff): Debian tracking bug: https://bugs.debian.org/1107068 ___ Reply to this item at: ___ Message sent via Sa