Bug#23698: marked as done (Linux-security says: Beware of dangerous enviroment (libc6))
Your message dated Sun, 7 Feb 1999 19:54:09 -0800
with message-id <v04104418b2decee150a6@[206.163.71.146]>
and subject line Closing fixed bugs.
has caused the attached bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I'm
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Ian Jackson
(administrator, Debian bugs database)
Received: (at submit) by bugs.debian.org; 19 Jun 1998 01:03:25 +0000
Received: (qmail 21890 invoked from network); 19 Jun 1998 01:03:22 -0000
Received: from ppp-51x2-0740.mtl.total.net (HELO pianocktail.dyn.ml.org) (207.139.77.198)
by debian.novare.net with SMTP; 19 Jun 1998 01:03:22 -0000
Received: (qmail 5846 invoked by uid 501); 19 Jun 1998 01:03:20 -0000
From: "Christian Hudon" <chrish@debian.org>
Message-ID: <19980618210320.B355@pianocktail.dyn.ml.org>
Date: Thu, 18 Jun 1998 21:03:20 -0400
To: submit@bugs.debian.org
Subject: Linux-security says: Beware of dangerous enviroment (libc6)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1i
Package: libc6
Version: 2.0.7pre1-4
Severity: important
The following had been posted to linux-security a month ago. Ulrich had
replied with a patch that fixed the problem. I assume the patch has been
merged into the 2.0.7 CVS tree... if so, just close the bug report. If not,
I can send you the patch.
Thanks,
Christian
----- Forwarded message from Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> -----
Date: Tue, 19 May 1998 16:26:50 +0200 (MET DST)
From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
To: drepper@gnu.org, bug-glibc@gnu.org, hjl@gnu.org, linux-security@redhat.com
Reply-to: peak@kerberos.troja.mff.cuni.cz
Message-id: <Pine.LNX.3.95.980513150558.4166F-100000@kerberos.troja.mff.cuni.cz>
Subject: Beware of dangerous enviroment (Re: Overflows in minicom)
On Tue, 12 May 1998, Andi Kleen wrote on BUGTRAQ:
> I assumed the libc would ignore NLSPATH when the app runs suid (similar
> like it does with LD_LIBRARY_PATH etc.). If it doesn't that is a bad bug.
>
> [... clickety click ... ]
>
> At least glibc 2.1 uses __secure_getenv() for NLSPATH. Don't know about 2.0,
> separate GNU gettext, or libc5.
I have browsed various versions of libc and found a handful of weak points
where the value of an enviroment variable is trusted more than necessary.
Variable Impact
NLSPATH can read arbitrary file
LANGUAGE, LANG, LC_* dtto (if the value starts with a sufficient
number of "../")
TZ dtto (../)
LD_PROFILE_OUTPUT can overwrite arbitrary file (not verified)
Quite a lot of harm can be caused even with read-only access.
Think of getting read access to /dev/*, esp. /dev/mem and /dev/port
(welcome to the world of PC hardware <g>), /proc/kmsg or /proc/*/fd/*.
Affected versions chart
Ver./Var. NLSPATH LANGUAGE, LANG, LC_* TZ LD_PROFILE_OUTPUT
libc 5.4.44 yes yes(0) yes no
glibc 2.0.7 no(1) yes no(2) no
glibc pre2.1 no(1) yes no(2) yes(3)
(snapshot 980301)
Solaris 2.5(4) yes no yes maybe
(with 103187-35)
(0) not LANGUAGE because libc5 has not gettext built in
(1) __secure_getenv()
(2) supressed in __tzfile_read() when __libc_secure_enable is on
(3) not verified
(4) just curious (private Q: does anyone know how one should report
such problems to Sun?)
Example of "exploitation"
$ mkfifo /tmp/LC_MESSAGES
$ LANG=../../../../tmp xterm &
$ ps l
FLAGS UID PID PPID PRI NI SIZE RSS WCHAN STA TTY TIME
COMMAND
100 555 17293 17291 14 0 1200 804 wait4 S p2 0:00 -bash
100000 555 17347 17293 10 0 2384 1208 fifo_open S p2 0:00 xterm
100000 555 17348 17293 17 0 920 500 R p2 0:00 ps l
Apparently, xterm attempted to open /tmp/LC_MESSAGES.
(Oh yes, xterm is setuid and owned by root.)
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null
----- End forwarded message -----
Reply to: