Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 10 Jul 2014 21:23:48 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling

* Rich Felker:

> Am I correct in assuming this affects most typical git setups (e.g.
> gitolite) using ssh authorized_keys files with forced commands, where
> the malicious file could simply be created as part of the git
> repository?

Probably, especially if there is a checkout of the repository in the
file system under a predictable path.  (I expect that most hosted
repositories use the bare format.)  I don't know how common this is
with the existing Git hosting frameworks.  Some of them don't use
OpenSSH and may not implement environment variable processing at all.

> Or are these usually setup to filter the environment?

It seems fairly likely because unexpected, but benign locale settings
would interfere with the hook script processing (which likely assume
U.S. date formats and UTF-8).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.