Bug 1102353 (CVE-2014-0475) - CVE-2014-0475 glibc: directory traversal in LC_* locale handling
Summary: CVE-2014-0475 glibc: directory traversal in LC_* locale handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0475
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1118581 1127249 1133807 1133808 1133809 1133810 1133811 1133812
Blocks: 1102357 1119129
TreeView+ depends on / blocked
 
Reported: 2014-05-28 20:04 UTC by Vincent Danen
Modified: 2021-02-17 06:32 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application.
Clone Of:
Environment:
Last Closed: 2014-08-29 21:49:14 UTC


Attachments (Terms of Use)
0001-setlocale-Use-the-heap-for-the-copy-of-the-locale-ar.patch (2.25 KB, patch)
2014-07-02 19:41 UTC, Florian Weimer
no flags Details | Diff
0002-_nl_find_locale-Improve-handling-of-crafted-locale-n.patch (12.94 KB, patch)
2014-07-02 19:42 UTC, Florian Weimer
no flags Details | Diff
0003-manual-Update-the-locale-documentation.patch (10.56 KB, patch)
2014-07-02 19:43 UTC, Florian Weimer
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1110 0 normal SHIPPED_LIVE Important: glibc security update 2014-08-30 01:40:58 UTC
Sourceware 17137 0 None None None Never

Description Vincent Danen 2014-05-28 20:04:05 UTC
It was found that glibc suffers from a directory traversal vulnerability when processing paths in LC_* variables.  As a result, you can set arbitrary locale specifications in certain environment variables, such as LC_ALL.  With certain programs, these environment variables are inherited -- this is particularly a problem for suid programs.  A program that runs suid to any other user (including root) could inherit these environment variables and load malicious locale specifications, which could result in the execution of arbitrary code.

Certain programs do not use locale specifications (such as mount, su, passwd), and some sanitize environment variables contain certain characters (for instance, if sudo encounters a whitelisted environment variable with '/' in the value, it will unset the environment variable).

Other programs may not be as careful with environment variables like this, which could result in arbitrary code execution if they accept such a crafted environment variable that allows for loading arbitrary locale specifications as specified in the environment variable (such as LC_ALL, LC_COLLATE, etc.).


Acknowledgements:

Red Hat would like to thank Stephane Chazelas for reporting this issue.

Comment 8 Florian Weimer 2014-07-02 19:27:09 UTC
Workarounds and mitigating factors for this issue:

On systems which use OpenSSH with the ForceCommand directive, command="" in authorized_keys, or certificate-embedded commands, remove these lines from /etc/ssh/sshd_config:

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

SUID/SGID programs are protected by an existing check in glibc and are not directly exposed.  Child processes created by such programs, however, could be exposed because the protections may not extend to them, until the current issue is addressed.

/etc/sudoers may contain env_keep statements for the variables listed above.  However, the default env_check settings prevent exploitation through this vector.

Comment 9 Florian Weimer 2014-07-02 19:41:55 UTC
Created attachment 914282 [details]
0001-setlocale-Use-the-heap-for-the-copy-of-the-locale-ar.patch

Preparatory patch for alloca hardening.

Comment 10 Florian Weimer 2014-07-02 19:42:36 UTC
Created attachment 914283 [details]
0002-_nl_find_locale-Improve-handling-of-crafted-locale-n.patch

Main patch for directory traversal detection.

Comment 11 Florian Weimer 2014-07-02 19:43:18 UTC
Created attachment 914284 [details]
0003-manual-Update-the-locale-documentation.patch

Documentation update.

Comment 12 Florian Weimer 2014-07-10 18:56:38 UTC
Relevant upstream Git commits:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d183645616b
  Related alloca hardening (technically not covered by the CVE assignment)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4e8f95a0df7
  Actual fix

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=58536726692
  Documentation updates

Comment 13 Tomas Hoger 2014-07-10 19:08:50 UTC
Upstream bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=17137

Comment 14 Murray McAllister 2014-07-11 05:27:44 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1118581]

Comment 19 Martin Prpič 2014-08-27 12:47:32 UTC
IssueDescription:

A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application.

Comment 20 Fedora Update System 2014-08-28 15:31:29 UTC
glibc-2.18-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 errata-xmlrpc 2014-08-29 21:41:22 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1110 https://rhn.redhat.com/errata/RHSA-2014-1110.html


Note You need to log in before you can comment on or make changes to this bug.