34072 – man2html new security issues, including CVE-2021-40647

Bug 34072 - man2html new security issues, including CVE-2021-40647

Summary: man2html new security issues, including CVE-2021-40647

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-03-07 16:25 CET by Nicolas Salguero
Modified:	2025-03-15 19:22 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	man2html-1.6-7.mga10.src.rpm, man2html-1.6-6.mga9.src.rpm
CVE:	CVE-2021-40647
Status comment:	Patches available from Fedora

Attachments
Diff from the spec on mageia 9 (599 bytes, patch) 2025-03-07 21:41 CET, katnatek	Details \| Diff
Patch for the cve (377 bytes, patch) 2025-03-07 21:42 CET, katnatek	Details \| Diff
Patch for asan (2.78 KB, message/rfc822) 2025-03-07 21:42 CET, katnatek	Details
Build log for cauldron (31.27 KB, application/gzip) 2025-03-07 21:46 CET, katnatek	Details
Diff from the spec in cauldron (641 bytes, patch) 2025-03-07 21:55 CET, katnatek	Details \| Diff
Php version of the man2html cgi componet (1.48 KB, text/plain) 2025-03-15 19:22 CET, katnatek	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-03-07 16:25:52 CET

Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BAS4Z6KUDJQV22DP5BTQX56WVFT3FF32/

At least, the following patches fix some security issues:
https://src.fedoraproject.org/rpms/man2html/blob/rawhide/f/042-man2html-CVE-2021-40647.patch
https://src.fedoraproject.org/rpms/man2html/blob/rawhide/f/043-man2html-fix-asan-issues.patch

Nicolas Salguero 2025-03-07 16:26:24 CET

CVE: (none) => CVE-2021-40647
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patches available from Fedora
Source RPM: (none) => man2html-1.6-7.mga10.src.rpm, man2html-1.6-6.mga9.src.rpm

Comment 1 Lewis Smith 2025-03-07 21:05:53 CET

Thanks for the patch references.
Various packagers deal with this, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 katnatek 2025-03-07 21:41:21 CET

Created attachment 14890 [details]
Diff from the spec on mageia 9

I not was sure of include the asan patch but not produce side effect in the build

Comment 3 katnatek 2025-03-07 21:42:19 CET

Created attachment 14891 [details]
Patch for the cve

Comment 4 katnatek 2025-03-07 21:42:45 CET

Created attachment 14892 [details]
Patch for asan

Comment 5 katnatek 2025-03-07 21:46:18 CET

Created attachment 14893 [details]
Build log for cauldron

The changes build OK for mageia 9 but not for cauldron I'll check if exist additional changes in spec for cauldron

Comment 6 katnatek 2025-03-07 21:55:31 CET

Created attachment 14894 [details]
Diff from the spec in cauldron

This diff works for cauldron version

Comment 7 katnatek 2025-03-07 21:57:03 CET

I'm not feel sure of send the changes myself, give it a view and
if Green Light if it is good for you

katnatek 2025-03-07 22:00:06 CET

CC: (none) => yvesbrungard

Comment 8 Nicolas Salguero 2025-03-11 16:50:13 CET

Hi,

For me the changes look good.

Best regards,

Nico.

Comment 9 katnatek 2025-03-11 18:40:22 CET

(In reply to Nicolas Salguero from comment #8)
> Hi,
> 
> For me the changes look good.
> 
> Best regards,
> 
> Nico.

I send the changes for cauldron and mageia 9, you or papoteur should 
send the build

Comment 10 Nicolas Salguero 2025-03-12 08:57:39 CET

Hi,

I sent the packages to the BS.

Best regards,

Nico.

Comment 11 katnatek 2025-03-12 22:48:37 CET

Packages:
man2html-1.6-6.1.mga9
man2html-core-1.6-6.1.mga9

SRPM:
man2html-1.6-6.1.mga9

Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)

Comment 12 katnatek 2025-03-12 23:35:21 CET

After some configurations

Install apache-mod_fcgid
Install current package
cd /var/www/cgi-bin/
ln -s /usr/lib/man2html/cgi-bin/man man
(Note I have to tweak time ago the apache configuration to make symlinks works)

systemctl restart httpd.service

http://localhost/cgi-bin/man/man2html

Shows 

Manual pages
This is a HyperText interface to the UNIX man pages. You can enter a program name, the section, an extra directory (using -M) or a full name. For example

    elm
    elm 1
    -M /usr/local/man elm
    /usr/share/man/man1/gperf.1 

This man2html converter was written by Richard Verhoeven 

Update to testing packages

installing man2html-1.6-6.1.mga9.x86_64.rpm man2html-core-1.6-6.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: man2html-core         ##################################################################################################
      2/2: man2html              ##################################################################################################
      1/2: removing man2html-1.6-6.mga9.x86_64
                                 ##################################################################################################
      2/2: removing man2html-core-1.6-6.mga9.x86_64
                                 ##################################################################################################

systemctl restart httpd.service

http://localhost/cgi-bin/man/man2html

Shows 

Manual pages
This is a HyperText interface to the UNIX man pages. You can enter a program name, the section, an extra directory (using -M) or a full name. For example

    elm
    elm 1
    -M /usr/local/man elm
    /usr/share/man/man1/gperf.1 

This man2html converter was written by Richard Verhoeven 

http://localhost/cgi-bin/man/man2html?man
Shows
Index to man man pages.

    man.1.xz (/usr/share/man/)
    man.7.xz (/usr/share/man/) 

Perhaps I need to do something more because http://localhost/cgi-bin/man/man2html?wget shows

Invalid Manpage
The requested file /usr/share/man/man1/wget.1.xz is not a valid (unformatted) man page. If the file is a formatted manpage, you could try to load the plain file. 

And follow http://localhost/man/man2html/usr/share/man/man7/man.7.xz
Produce this spanish message

¡Objeto no localizado!

No se ha localizado la URL solicitada en este servidor. La URL de la página que le ha remitido parece ser errónea o estar obsoleta. Por favor, informe del error al autor de esa página.

Si usted cree que esto es un error del servidor, por favor comuníqueselo al administrador del portal.
Error 404
localhost
Apache/2.4.62 (Mageia) OpenSSL/3.0.15 mod_fcgid/2.3.9 

Well not updates issues and the issues make it working maybe are between the chair and the computer ;)

katnatek 2025-03-13 00:10:58 CET

Keywords: (none) => advisory

Comment 13 Herman Viaene 2025-03-13 11:56:07 CET

@katnatek
What do you mean by "I have to tweak time ago the apache configuration to make symlinks works". Can you be more specific????

CC: (none) => herman.viaene

Comment 14 Herman Viaene 2025-03-13 13:56:31 CET

I added  the line
    Options FollowSymLinks
to the httpd.conf just after <Directory "/var/www/cgi-bin">
and restarted httpd, but kept getting the 403 error
I cann't see anything wrong with tha access rights.

Comment 15 katnatek 2025-03-13 17:52:14 CET

(In reply to Herman Viaene from comment #13)
> @katnatek
> What do you mean by "I have to tweak time ago the apache configuration to
> make symlinks works". Can you be more specific????

(In reply to Herman Viaene from comment #14)
> I added  the line
>     Options FollowSymLinks
> to the httpd.conf just after <Directory "/var/www/cgi-bin">
> and restarted httpd, but kept getting the 403 error
> I cann't see anything wrong with tha access rights.

I read in some place that options need to start with + and with some changes it works

I send you my file by mail

Comment 16 katnatek 2025-03-13 18:22:26 CET

(In reply to katnatek from comment #15)
> (In reply to Herman Viaene from comment #13)

> I read in some place that options need to start with + and with some changes
> it works
> 
> I send you my file by mail

Probably here https://superuser.com/posts/244252/revisions

Comment 17 katnatek 2025-03-13 18:37:52 CET

I confirm a theory, the tool not likes compressed man pages

man2html /usr/share/man/man1/wget.1.xz
Content-type: text/html

<HTML><HEAD><TITLE>Invalid Manpage</TITLE></HEAD>
<BODY>
<H1>Invalid Manpage</H1>
The requested file /usr/share/man/man1/wget.1.xz is not a valid (unformatted) man page.
If the file is a formatted manpage, you could try to load the
<A HREF="file://localhost/usr/share/man/man1/wget.1.xz">plain file</A>.
</BODY></HTML>


xzcat /usr/share/man/man1/wget.1.xz|man2html > wget.html

And load in the browser wget.html

This should be enough, waiting for Herman's feedback

Comment 18 Herman Viaene 2025-03-14 10:07:01 CET

Using the httpd.conf I received, gets rid of the 403 error. Tx katnatek. So should be good to go.

Whiteboard: (none) => MGA9-64-OK

Comment 19 Thomas Andrews 2025-03-14 20:34:32 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 20 Mageia Robot 2025-03-15 02:41:24 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0097.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 21 katnatek 2025-03-15 19:22:39 CET

Created attachment 14899 [details]
Php version of the man2html cgi componet

I write this php to basic mimic the cgi function and works with th xz manpages of mageia

Obviously require weberver+php compatibility for the webserver

I make some test and works, perhaps needs some enhancement but
I think is a good alternative to live test in browser

Note You need to log in before you can comment on or make changes to this bug.