Fedora has issued an advisory on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BAS4Z6KUDJQV22DP5BTQX56WVFT3FF32/ At least, the following patches fix some security issues: https://src.fedoraproject.org/rpms/man2html/blob/rawhide/f/042-man2html-CVE-2021-40647.patch https://src.fedoraproject.org/rpms/man2html/blob/rawhide/f/043-man2html-fix-asan-issues.patch
CVE: (none) => CVE-2021-40647Whiteboard: (none) => MGA9TOOStatus comment: (none) => Patches available from FedoraSource RPM: (none) => man2html-1.6-7.mga10.src.rpm, man2html-1.6-6.mga9.src.rpm
Thanks for the patch references. Various packagers deal with this, so assigning the bug globally.
Assignee: bugsquad => pkg-bugs
Created attachment 14890 [details] Diff from the spec on mageia 9 I not was sure of include the asan patch but not produce side effect in the build
Created attachment 14891 [details] Patch for the cve
Created attachment 14892 [details] Patch for asan
Created attachment 14893 [details] Build log for cauldron The changes build OK for mageia 9 but not for cauldron I'll check if exist additional changes in spec for cauldron
Created attachment 14894 [details] Diff from the spec in cauldron This diff works for cauldron version
I'm not feel sure of send the changes myself, give it a view and if Green Light if it is good for you
CC: (none) => yvesbrungard
Hi, For me the changes look good. Best regards, Nico.
(In reply to Nicolas Salguero from comment #8) > Hi, > > For me the changes look good. > > Best regards, > > Nico. I send the changes for cauldron and mageia 9, you or papoteur should send the build
Hi, I sent the packages to the BS. Best regards, Nico.
Packages: man2html-1.6-6.1.mga9 man2html-core-1.6-6.1.mga9 SRPM: man2html-1.6-6.1.mga9
Version: Cauldron => 9Assignee: pkg-bugs => qa-bugsWhiteboard: MGA9TOO => (none)
After some configurations Install apache-mod_fcgid Install current package cd /var/www/cgi-bin/ ln -s /usr/lib/man2html/cgi-bin/man man (Note I have to tweak time ago the apache configuration to make symlinks works) systemctl restart httpd.service http://localhost/cgi-bin/man/man2html Shows Manual pages This is a HyperText interface to the UNIX man pages. You can enter a program name, the section, an extra directory (using -M) or a full name. For example elm elm 1 -M /usr/local/man elm /usr/share/man/man1/gperf.1 This man2html converter was written by Richard Verhoeven Update to testing packages installing man2html-1.6-6.1.mga9.x86_64.rpm man2html-core-1.6-6.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: man2html-core ################################################################################################## 2/2: man2html ################################################################################################## 1/2: removing man2html-1.6-6.mga9.x86_64 ################################################################################################## 2/2: removing man2html-core-1.6-6.mga9.x86_64 ################################################################################################## systemctl restart httpd.service http://localhost/cgi-bin/man/man2html Shows Manual pages This is a HyperText interface to the UNIX man pages. You can enter a program name, the section, an extra directory (using -M) or a full name. For example elm elm 1 -M /usr/local/man elm /usr/share/man/man1/gperf.1 This man2html converter was written by Richard Verhoeven http://localhost/cgi-bin/man/man2html?man Shows Index to man man pages. man.1.xz (/usr/share/man/) man.7.xz (/usr/share/man/) Perhaps I need to do something more because http://localhost/cgi-bin/man/man2html?wget shows Invalid Manpage The requested file /usr/share/man/man1/wget.1.xz is not a valid (unformatted) man page. If the file is a formatted manpage, you could try to load the plain file. And follow http://localhost/man/man2html/usr/share/man/man7/man.7.xz Produce this spanish message ¡Objeto no localizado! No se ha localizado la URL solicitada en este servidor. La URL de la página que le ha remitido parece ser errónea o estar obsoleta. Por favor, informe del error al autor de esa página. Si usted cree que esto es un error del servidor, por favor comuníqueselo al administrador del portal. Error 404 localhost Apache/2.4.62 (Mageia) OpenSSL/3.0.15 mod_fcgid/2.3.9 Well not updates issues and the issues make it working maybe are between the chair and the computer ;)
Keywords: (none) => advisory
@katnatek What do you mean by "I have to tweak time ago the apache configuration to make symlinks works". Can you be more specific????
CC: (none) => herman.viaene
I added the line Options FollowSymLinks to the httpd.conf just after <Directory "/var/www/cgi-bin"> and restarted httpd, but kept getting the 403 error I cann't see anything wrong with tha access rights.
(In reply to Herman Viaene from comment #13) > @katnatek > What do you mean by "I have to tweak time ago the apache configuration to > make symlinks works". Can you be more specific???? (In reply to Herman Viaene from comment #14) > I added the line > Options FollowSymLinks > to the httpd.conf just after <Directory "/var/www/cgi-bin"> > and restarted httpd, but kept getting the 403 error > I cann't see anything wrong with tha access rights. I read in some place that options need to start with + and with some changes it works I send you my file by mail
(In reply to katnatek from comment #15) > (In reply to Herman Viaene from comment #13) > I read in some place that options need to start with + and with some changes > it works > > I send you my file by mail Probably here https://superuser.com/posts/244252/revisions
I confirm a theory, the tool not likes compressed man pages man2html /usr/share/man/man1/wget.1.xz Content-type: text/html <HTML><HEAD><TITLE>Invalid Manpage</TITLE></HEAD> <BODY> <H1>Invalid Manpage</H1> The requested file /usr/share/man/man1/wget.1.xz is not a valid (unformatted) man page. If the file is a formatted manpage, you could try to load the <A HREF="file://localhost/usr/share/man/man1/wget.1.xz">plain file</A>. </BODY></HTML> xzcat /usr/share/man/man1/wget.1.xz|man2html > wget.html And load in the browser wget.html This should be enough, waiting for Herman's feedback
Using the httpd.conf I received, gets rid of the 403 error. Tx katnatek. So should be good to go.
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0097.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Created attachment 14899 [details] Php version of the man2html cgi componet I write this php to basic mimic the cgi function and works with th xz manpages of mageia Obviously require weberver+php compatibility for the webserver I make some test and works, perhaps needs some enhancement but I think is a good alternative to live test in browser