Date: Fri, 11 Jul 2014 01:36:08 -0400 From: Rich Felker <dalias@...c.org> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE-2014-0475: glibc directory traversal in LC_* locale handling On Thu, Jul 10, 2014 at 04:42:39PM -0700, Tavis Ormandy wrote: > Rich Felker <dalias@...c.org> wrote: > > > On Thu, Jul 10, 2014 at 08:52:24PM +0200, Florian Weimer wrote: > > > Stephane Chazelas discovered that directory traversal issue in locale > > > handling in glibc. glibc accepts relative paths with ".." components in > > > the LC_* and LANG variables. Together with typical OpenSSH > > > configurations (with suitable AcceptEnv settings in sshd_config), this > > > could conceivably be used to bypass ForceCommand restrictions (or > > > restricted shells), assuming the attacker has sufficient level of access > > > to a file system location on the host to create crafted locale > > > definitions there. > > > > Am I correct in assuming this affects most typical git setups (e.g. > > gitolite) using ssh authorized_keys files with forced commands, where the > > malicious file could simply be created as part of the git repository? Or > > are these usually setup to filter the environment? > > > > I knew about this behaviour (I imagine lots of people were), but hadn't > considered it a vulnerability - it's more restricted across setuid, so had > assumed it was intentionally permitted. Locale files are not executable > code, so even if you imagine a ForceCommand+AcceptEnv configuration *and* > have the ability to create a message catalog, don't you still need another > bug to exploit this? Replacing any format string with something containing %n in the translation? Rich
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ