Re: Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling

[Rich Felker <dalias () libc org>]

On Thu, Jul 10, 2014 at 04:42:39PM -0700, Tavis Ormandy wrote:
> Rich Felker <dalias () libc org> wrote:
>
> > On Thu, Jul 10, 2014 at 08:52:24PM +0200, Florian Weimer wrote:
> > > Stephane Chazelas discovered that directory traversal issue in locale
> > > handling in glibc.  glibc accepts relative paths with ".." components in
> > > the LC_* and LANG variables.  Together with typical OpenSSH
> > > configurations (with suitable AcceptEnv settings in sshd_config), this
> > > could conceivably be used to bypass ForceCommand restrictions (or
> > > restricted shells), assuming the attacker has sufficient level of access
> > > to a file system location on the host to create crafted locale
> > > definitions there.
> >
> > Am I correct in assuming this affects most typical git setups (e.g.
> > gitolite) using ssh authorized_keys files with forced commands, where the
> > malicious file could simply be created as part of the git repository? Or
> > are these usually setup to filter the environment?
>
> I knew about this behaviour (I imagine lots of people were), but hadn't
> considered it a vulnerability - it's more restricted across setuid, so had
> assumed it was intentionally permitted. Locale files are not executable
> code, so even if you imagine a ForceCommand+AcceptEnv configuration *and*
> have the ability to create a message catalog, don't you still need another
> bug to exploit this?

Replacing any format string with something containing %n in the
translation?

Rich