Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Jul 2014 01:36:08 -0400
From: Rich Felker <>
Subject: Re: Re: CVE-2014-0475: glibc directory traversal in
 LC_* locale handling

On Thu, Jul 10, 2014 at 04:42:39PM -0700, Tavis Ormandy wrote:
> Rich Felker <> wrote:
> > On Thu, Jul 10, 2014 at 08:52:24PM +0200, Florian Weimer wrote:
> > > Stephane Chazelas discovered that directory traversal issue in locale
> > > handling in glibc.  glibc accepts relative paths with ".." components in
> > > the LC_* and LANG variables.  Together with typical OpenSSH
> > > configurations (with suitable AcceptEnv settings in sshd_config), this
> > > could conceivably be used to bypass ForceCommand restrictions (or
> > > restricted shells), assuming the attacker has sufficient level of access
> > > to a file system location on the host to create crafted locale
> > > definitions there.
> > 
> > Am I correct in assuming this affects most typical git setups (e.g.
> > gitolite) using ssh authorized_keys files with forced commands, where the
> > malicious file could simply be created as part of the git repository? Or
> > are these usually setup to filter the environment?
> > 
> I knew about this behaviour (I imagine lots of people were), but hadn't
> considered it a vulnerability - it's more restricted across setuid, so had
> assumed it was intentionally permitted. Locale files are not executable
> code, so even if you imagine a ForceCommand+AcceptEnv configuration *and*
> have the ability to create a message catalog, don't you still need another
> bug to exploit this?

Replacing any format string with something containing %n in the


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ