Bug 1102353 (CVE-2014-0475)

Summary: CVE-2014-0475 glibc: directory traversal in LC_* locale handling
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ashankar, carnil, codonell, fweimer, jkurik, jrusnack, mthapa, pfrankli, security-response-team, spoyarek, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-29 21:49:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1118581, 1127249, 1133807, 1133808, 1133809, 1133810, 1133811, 1133812    
Bug Blocks: 1102357, 1119129    
Attachments:
Description Flags
0001-setlocale-Use-the-heap-for-the-copy-of-the-locale-ar.patch
none
0002-_nl_find_locale-Improve-handling-of-crafted-locale-n.patch
none
0003-manual-Update-the-locale-documentation.patch none

Description Vincent Danen 2014-05-28 20:04:05 UTC 
It was found that glibc suffers from a directory traversal vulnerability when processing paths in LC_* variables.  As a result, you can set arbitrary locale specifications in certain environment variables, such as LC_ALL.  With certain programs, these environment variables are inherited -- this is particularly a problem for suid programs.  A program that runs suid to any other user (including root) could inherit these environment variables and load malicious locale specifications, which could result in the execution of arbitrary code.

Certain programs do not use locale specifications (such as mount, su, passwd), and some sanitize environment variables contain certain characters (for instance, if sudo encounters a whitelisted environment variable with '/' in the value, it will unset the environment variable).

Other programs may not be as careful with environment variables like this, which could result in arbitrary code execution if they accept such a crafted environment variable that allows for loading arbitrary locale specifications as specified in the environment variable (such as LC_ALL, LC_COLLATE, etc.).


Acknowledgements:

Red Hat would like to thank Stephane Chazelas for reporting this issue.
Comment 8 Florian Weimer 2014-07-02 19:27:09 UTC 
Workarounds and mitigating factors for this issue:

On systems which use OpenSSH with the ForceCommand directive, command="" in authorized_keys, or certificate-embedded commands, remove these lines from /etc/ssh/sshd_config:

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

SUID/SGID programs are protected by an existing check in glibc and are not directly exposed.  Child processes created by such programs, however, could be exposed because the protections may not extend to them, until the current issue is addressed.

/etc/sudoers may contain env_keep statements for the variables listed above.  However, the default env_check settings prevent exploitation through this vector.
Comment 9 Florian Weimer 2014-07-02 19:41:55 UTC 
Created attachment 914282 [details]
0001-setlocale-Use-the-heap-for-the-copy-of-the-locale-ar.patch

Preparatory patch for alloca hardening.
Comment 10 Florian Weimer 2014-07-02 19:42:36 UTC 
Created attachment 914283 [details]
0002-_nl_find_locale-Improve-handling-of-crafted-locale-n.patch

Main patch for directory traversal detection.
Comment 11 Florian Weimer 2014-07-02 19:43:18 UTC 
Created attachment 914284 [details]
0003-manual-Update-the-locale-documentation.patch

Documentation update.
Comment 12 Florian Weimer 2014-07-10 18:56:38 UTC 
Relevant upstream Git commits:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d183645616b
  Related alloca hardening (technically not covered by the CVE assignment)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4e8f95a0df7
  Actual fix

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=58536726692
  Documentation updates
Comment 13 Tomas Hoger 2014-07-10 19:08:50 UTC 
Upstream bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=17137
Comment 14 Murray McAllister 2014-07-11 05:27:44 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1118581]
Comment 19 Martin Prpič 2014-08-27 12:47:32 UTC 
IssueDescription:

A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application.
Comment 20 Fedora Update System 2014-08-28 15:31:29 UTC 
glibc-2.18-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 errata-xmlrpc 2014-08-29 21:41:22 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1110 https://rhn.redhat.com/errata/RHSA-2014-1110.html