Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling

[Solar Designer <solar () openwall com>]

On Thu, Jul 10, 2014 at 09:23:48PM +0200, Florian Weimer wrote:
> * Rich Felker:
>
> > Am I correct in assuming this affects most typical git setups (e.g.
> > gitolite) using ssh authorized_keys files with forced commands, where
> > the malicious file could simply be created as part of the git
> > repository?
>
> Probably, especially if there is a checkout of the repository in the
> file system under a predictable path.  (I expect that most hosted
> repositories use the bare format.)  I don't know how common this is
> with the existing Git hosting frameworks.  Some of them don't use
> OpenSSH and may not implement environment variable processing at all.
>
> > Or are these usually setup to filter the environment?
>
> It seems fairly likely because unexpected, but benign locale settings
> would interfere with the hook script processing (which likely assume
> U.S. date formats and UTF-8).

The man page for sshd_config(5) says this about AcceptEnv:

"The default is not to accept any environment variables."

The default sshd_config found in openssh-6.6p1.tar.gz does not list
AcceptEnv, so presumably by default OpenSSH portable does not accept any
environment variables.

However, apparently some distros override this safe default:

https://bugzilla.redhat.com/show_bug.cgi?id=1077843#c6

| Huzaifa S. Sidhpurwala  2014-03-21 02:31:29 EDT 
| 
| The sshd_config file by default contain the following AcceptEnv directives.
| 
| AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
| AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
| AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
| AcceptEnv XMODIFIERS

Is there a supported way for distros to configure OpenSSH such that a
number of environment variables would be accepted by default, but only
as long as no command is forced?  This could be an acceptable tradeoff.

Alexander