oss-security - Re: CVE-2014-0475: glibc directory traversal in LC

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 11 Jul 2014 00:14:32 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling

On Thu, Jul 10, 2014 at 09:50:02PM +0200, Florian Weimer wrote:
> * Solar Designer:
> 
> > The default sshd_config found in openssh-6.6p1.tar.gz does not list
> > AcceptEnv, so presumably by default OpenSSH portable does not accept any
> > environment variables.
> 
> I expected it to accept TERM,

Good point.  Perhaps the documentation of AcceptEnv needs to be revised
to mention this exception.

> which is sort of unavoidable.

Actually, it is avoidable.  Yes, there is:

	if (s->term)
		child_set_env(&env, &envsize, "TERM", s->term);

but there's also:

static int
session_pty_req(Session *s)
{
[...]
	if (no_pty_flag || !options.permit_tty) {
		debug("Allocating a pty not permitted for this authentication.");
		return 0;
	}
[...]
	s->term = packet_get_string(&len);

So it looks like listing "no-pty" in authorized_keys prevents not only
allocation of a pty, but also passing of TERM.  And this makes sense.

Alexander

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.