oss-sec mailing list archives
Re: Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling
From: Rich Felker <dalias () libc org>
Date: Fri, 11 Jul 2014 01:36:08 -0400
On Thu, Jul 10, 2014 at 04:42:39PM -0700, Tavis Ormandy wrote:
Rich Felker <dalias () libc org> wrote:On Thu, Jul 10, 2014 at 08:52:24PM +0200, Florian Weimer wrote:Stephane Chazelas discovered that directory traversal issue in locale handling in glibc. glibc accepts relative paths with ".." components in the LC_* and LANG variables. Together with typical OpenSSH configurations (with suitable AcceptEnv settings in sshd_config), this could conceivably be used to bypass ForceCommand restrictions (or restricted shells), assuming the attacker has sufficient level of access to a file system location on the host to create crafted locale definitions there.Am I correct in assuming this affects most typical git setups (e.g. gitolite) using ssh authorized_keys files with forced commands, where the malicious file could simply be created as part of the git repository? Or are these usually setup to filter the environment?I knew about this behaviour (I imagine lots of people were), but hadn't considered it a vulnerability - it's more restricted across setuid, so had assumed it was intentionally permitted. Locale files are not executable code, so even if you imagine a ForceCommand+AcceptEnv configuration *and* have the ability to create a message catalog, don't you still need another bug to exploit this?
Replacing any format string with something containing %n in the translation? Rich
Current thread:
- CVE-2014-0475: glibc directory traversal in LC_* locale handling Florian Weimer (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Rich Felker (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Florian Weimer (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Solar Designer (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Daniel Kahn Gillmor (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Florian Weimer (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Solar Designer (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Florian Weimer (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Rich Felker (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Tavis Ormandy (Jul 10)
- Re: Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Rich Felker (Jul 10)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Stephane Chazelas (Jul 21)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Stephane Chazelas (Jul 21)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Florian Weimer (Jul 14)
- Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling Rich Felker (Jul 14)