oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling

From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 10 Jul 2014 15:48:34 -0400
On 07/10/2014 03:41 PM, Solar Designer wrote:

The default sshd_config found in openssh-6.6p1.tar.gz does not list
AcceptEnv, so presumably by default OpenSSH portable does not accept any
environment variables.

However, apparently some distros override this safe default:

https://bugzilla.redhat.com/show_bug.cgi?id=1077843#c6

| Huzaifa S. Sidhpurwala  2014-03-21 02:31:29 EDT 
| 
| The sshd_config file by default contain the following AcceptEnv directives.
| 
| AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
| AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
| AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
| AcceptEnv XMODIFIERS


Debian also ships a default sshd_config with:

AcceptEnv LANG LC_*

To be clear: the override is in the default config files, there are no
changes to the sshd binary itself, which still defaults to nothing in
AcceptEnv.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: