Bug#23698: marked as done (Linux-security says: Beware of dangerous enviroment (libc6))

To: Joel Klecker <espy@debian.org>
Cc: Joel Klecker <glibc-maint@debian.org>
Subject: Bug#23698: marked as done (Linux-security says: Beware of dangerous enviroment (libc6))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 7 Feb 99 22:03 CST
Message-id: <[🔎] handler.23698.D23698.9184461194088.ackdone@bugs.debian.org>
In-reply-to: <v04104418b2decee150a6@[206.163.71.146]>
References: <v04104418b2decee150a6@[206.163.71.146]> <19980618210320.B355@pianocktail.dyn.ml.org>

Your message dated Sun, 7 Feb 1999 19:54:09 -0800
with message-id <v04104418b2decee150a6@[206.163.71.146]>
and subject line Closing fixed bugs.
has caused the attached bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I'm
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Ian Jackson
(administrator, Debian bugs database)

Received: (at submit) by bugs.debian.org; 19 Jun 1998 01:03:25 +0000
Received: (qmail 21890 invoked from network); 19 Jun 1998 01:03:22 -0000
Received: from ppp-51x2-0740.mtl.total.net (HELO pianocktail.dyn.ml.org) (207.139.77.198)
  by debian.novare.net with SMTP; 19 Jun 1998 01:03:22 -0000
Received: (qmail 5846 invoked by uid 501); 19 Jun 1998 01:03:20 -0000
From: "Christian Hudon" <chrish@debian.org>
Message-ID: <19980618210320.B355@pianocktail.dyn.ml.org>
Date: Thu, 18 Jun 1998 21:03:20 -0400
To: submit@bugs.debian.org
Subject: Linux-security says: Beware of dangerous enviroment (libc6)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1i

Package: libc6
Version: 2.0.7pre1-4
Severity: important

The following had been posted to linux-security a month ago. Ulrich had
replied with a patch that fixed the problem. I assume the patch has been
merged into the 2.0.7 CVS tree... if so, just close the bug report. If not, 
I can send you the patch.

Thanks,

  Christian

----- Forwarded message from Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> -----

Date: Tue, 19 May 1998 16:26:50 +0200 (MET DST)
From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
To: drepper@gnu.org, bug-glibc@gnu.org, hjl@gnu.org, linux-security@redhat.com
Reply-to: peak@kerberos.troja.mff.cuni.cz
Message-id: <Pine.LNX.3.95.980513150558.4166F-100000@kerberos.troja.mff.cuni.cz>
Subject: Beware of dangerous enviroment (Re: Overflows in minicom)

On Tue, 12 May 1998, Andi Kleen wrote on BUGTRAQ:

> I assumed the libc would ignore NLSPATH when the app runs suid (similar
> like it does with LD_LIBRARY_PATH etc.). If it doesn't that is a bad bug.
> 
> [... clickety click ... ]
> 
> At least glibc 2.1 uses __secure_getenv() for NLSPATH. Don't know about 2.0,
> separate GNU gettext, or libc5.


I have browsed various versions of libc and found a handful of weak points
where the value of an enviroment variable is trusted more than necessary.

Variable		Impact

NLSPATH			can read arbitrary file
LANGUAGE, LANG, LC_*	dtto (if the value starts with a sufficient
			number of "../")
TZ			dtto (../)
LD_PROFILE_OUTPUT	can overwrite arbitrary file (not verified)


Quite a lot of harm can be caused even with read-only access.
Think of getting read access to /dev/*, esp. /dev/mem and /dev/port 
(welcome to the world of PC hardware <g>), /proc/kmsg or /proc/*/fd/*.


Affected versions chart

Ver./Var.     NLSPATH   LANGUAGE, LANG, LC_*    TZ    LD_PROFILE_OUTPUT

libc 5.4.44	yes		yes(0)		yes		no
glibc 2.0.7	no(1)		yes		no(2)		no
glibc pre2.1	no(1)		yes		no(2)		yes(3)
(snapshot 980301)
Solaris 2.5(4)	yes		no		yes		maybe
(with 103187-35)

(0) not LANGUAGE because libc5 has not gettext built in
(1) __secure_getenv()
(2) supressed in __tzfile_read() when __libc_secure_enable is on
(3) not verified
(4) just curious (private Q: does anyone know how one should report
    such problems to Sun?)


Example of "exploitation"

$ mkfifo /tmp/LC_MESSAGES
$ LANG=../../../../tmp xterm &
$ ps l
 FLAGS   UID   PID  PPID PRI  NI   SIZE   RSS WCHAN       STA TTY TIME
COMMAND
   100   555 17293 17291  14   0   1200   804 wait4       S   p2  0:00 -bash 
100000   555 17347 17293  10   0   2384  1208 fifo_open   S   p2  0:00 xterm
100000   555 17348 17293  17   0    920   500             R   p2  0:00 ps l

Apparently, xterm attempted to open /tmp/LC_MESSAGES.
(Oh yes, xterm is setuid and owned by root.)


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

----- End forwarded message -----

Reply to:

Prev by Date: Bug#23861: marked as done (libc6 copyright still refers to the beta prerelease)
Next by Date: Bug#27334: marked as done (libc6: breaks sendmail, probably problem in resolver)
Previous by thread: Bug#23861: marked as done (libc6 copyright still refers to the beta prerelease)
Next by thread: Bug#27334: marked as done (libc6: breaks sendmail, probably problem in resolver)
Index(es):
- Date
- Thread