This is the mail archive of the libc-locales@sourceware.org mailing list for the GNU libc locales project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug localedata/17137] New: Directory traversal in locale environment handling (CVE-2014-0475)


https://sourceware.org/bugzilla/show_bug.cgi?id=17137

            Bug ID: 17137
           Summary: Directory traversal in locale environment handling
                    (CVE-2014-0475)
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: localedata
          Assignee: fweimer at redhat dot com
          Reporter: fweimer at redhat dot com
                CC: libc-locales at sourceware dot org
             Flags: security+

Stephane Chazelas reported (via Debian) a directory traversal issue in locale
handling in glibc.  glibc accepts relative paths with ".." components in the
LC_* and LANG variables.  Together with typical OpenSSH configurations (with
suitable AcceptEnv settings in sshd_config), this could conceivably be used to
bypass ForceCommand restrictions, assuming the attacker has sufficient level of
access to a file system location on the host to create crafted locale
definitions there.

Due to an existing AT_SECURE check, SUID/SGID binaries are not directly
vulnerable, but this protection will not necessarily extend to child processes.
 For sudo, this is mitigated by the env_check defaults, so even configurations
which list LC_* variables among env_keep should be safe.

I will post patches to libc-alpha for review shortly.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]