It was found that glibc suffers from a directory traversal vulnerability when processing paths in LC_* variables. As a result, you can set arbitrary locale specifications in certain environment variables, such as LC_ALL. With certain programs, these environment variables are inherited -- this is particularly a problem for suid programs. A program that runs suid to any other user (including root) could inherit these environment variables and load malicious locale specifications, which could result in the execution of arbitrary code.
Certain programs do not use locale specifications (such as mount, su, passwd), and some sanitize environment variables contain certain characters (for instance, if sudo encounters a whitelisted environment variable with '/' in the value, it will unset the environment variable).
Other programs may not be as careful with environment variables like this, which could result in arbitrary code execution if they accept such a crafted environment variable that allows for loading arbitrary locale specifications as specified in the environment variable (such as LC_ALL, LC_COLLATE, etc.).
Red Hat would like to thank Stephane Chazelas for reporting this issue.
Workarounds and mitigating factors for this issue:
On systems which use OpenSSH with the ForceCommand directive, command="" in authorized_keys, or certificate-embedded commands, remove these lines from /etc/ssh/sshd_config:
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SUID/SGID programs are protected by an existing check in glibc and are not directly exposed. Child processes created by such programs, however, could be exposed because the protections may not extend to them, until the current issue is addressed.
/etc/sudoers may contain env_keep statements for the variables listed above. However, the default env_check settings prevent exploitation through this vector.
Created attachment 914282 [details]
Preparatory patch for alloca hardening.
Created attachment 914283 [details]
Main patch for directory traversal detection.
Created attachment 914284 [details]
Relevant upstream Git commits:
Related alloca hardening (technically not covered by the CVE assignment)
Created glibc tracking bugs for this issue:
Affects: fedora-all [bug 1118581]
A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application.
glibc-2.18-14.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2014:1110 https://rhn.redhat.com/errata/RHSA-2014-1110.html