Bug 18046 - Another security hole in usermode/glibc
Another security hole in usermode/glibc
Product: Red Hat Linux
Classification: Retired
Component: usermode (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-10-01 20:47 EDT by Chris Evans
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-10-16 13:09:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Evans 2000-10-01 20:47:17 EDT

Please see the local root exploit posted to Bugtraq,


Issue is usermode passing untrusted user environment down to the programs
it launches.

Of course, it would be nice if glibc were more paranoid about ".." in
locale paths.
Comment 1 Nalin Dahyabhai 2000-10-02 01:20:00 EDT
We're going to have to add a whitelist and use execle() to run the right
program, but we need to preserve a sane LANG rather than let the default "C" be
used.  Might have to make a specific exception for LANG, though.
Comment 2 Jakub Jelinek 2000-10-03 04:23:48 EDT
Actually, glibc takes care about slashes, not .. in locale paths. Anyway, I
don't think glibc should restrict LANG/LC_ALL for non-setuid root, maybe it
should remove LC_*/LANG from environment for setuid programs if it contains
/,  I'll talk with Ulrich. Anyway, IMHO all suid/sgid apps which exec something
should be careful by themselves.
In ftp://ultra.linux.cz/private/usermode/ are updated usermode RPMs, Nalin,
could you please retest the bugtraq exploit with it and issue erratas ASAP
(like today) for all distributions shipping usermode? This is really serious.
And we should check all suid/sgid apps which ever exec for this kind of thing
as well.
Comment 3 Nalin Dahyabhai 2000-10-05 14:33:58 EDT
Still not sure what to do about other distributions, but usermode with a couple
of minor bug fixes is now in the pipeline.
Comment 4 Chris Evans 2000-10-16 13:09:36 EDT
Errata is released - fancy marking the bug RESOLVED + ERRATA?

Note You need to log in before you can comment on or make changes to this bug.