This is the mail archive of the
libc-locales@sourceware.org
mailing list for the GNU libc locales project.
[Bug localedata/17137] New: Directory traversal in locale environment handling (CVE-2014-0475)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: libc-locales at sourceware dot org
- Date: Wed, 09 Jul 2014 16:09:27 +0000
- Subject: [Bug localedata/17137] New: Directory traversal in locale environment handling (CVE-2014-0475)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=17137
Bug ID: 17137
Summary: Directory traversal in locale environment handling
(CVE-2014-0475)
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: localedata
Assignee: fweimer at redhat dot com
Reporter: fweimer at redhat dot com
CC: libc-locales at sourceware dot org
Flags: security+
Stephane Chazelas reported (via Debian) a directory traversal issue in locale
handling in glibc. glibc accepts relative paths with ".." components in the
LC_* and LANG variables. Together with typical OpenSSH configurations (with
suitable AcceptEnv settings in sshd_config), this could conceivably be used to
bypass ForceCommand restrictions, assuming the attacker has sufficient level of
access to a file system location on the host to create crafted locale
definitions there.
Due to an existing AT_SECURE check, SUID/SGID binaries are not directly
vulnerable, but this protection will not necessarily extend to child processes.
For sudo, this is mitigated by the env_check defaults, so even configurations
which list LC_* variables among env_keep should be safe.
I will post patches to libc-alpha for review shortly.
--
You are receiving this mail because:
You are on the CC list for the bug.