From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24266 invoked by alias); 9 Jul 2014 16:09:40 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 24116 invoked by uid 48); 9 Jul 2014 16:09:31 -0000 From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug localedata/17137] New: Directory traversal in locale environment handling (CVE-2014-0475) Date: Wed, 09 Jul 2014 16:09:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: localedata X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: fweimer at redhat dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2014-07/txt/msg00590.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=17137 Bug ID: 17137 Summary: Directory traversal in locale environment handling (CVE-2014-0475) Product: glibc Version: unspecified Status: NEW Severity: normal Priority: P2 Component: localedata Assignee: fweimer at redhat dot com Reporter: fweimer at redhat dot com CC: libc-locales at sourceware dot org Flags: security+ Stephane Chazelas reported (via Debian) a directory traversal issue in locale handling in glibc. glibc accepts relative paths with ".." components in the LC_* and LANG variables. Together with typical OpenSSH configurations (with suitable AcceptEnv settings in sshd_config), this could conceivably be used to bypass ForceCommand restrictions, assuming the attacker has sufficient level of access to a file system location on the host to create crafted locale definitions there. Due to an existing AT_SECURE check, SUID/SGID binaries are not directly vulnerable, but this protection will not necessarily extend to child processes. For sudo, this is mitigated by the env_check defaults, so even configurations which list LC_* variables among env_keep should be safe. I will post patches to libc-alpha for review shortly. -- You are receiving this mail because: You are on the CC list for the bug.