Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 516884 (CVE-2014-0475) - <sys-libs/glibc-2.20: directory traversal in LC_* locale handling (CVE-2014-0475)
Summary: <sys-libs/glibc-2.20: directory traversal in LC_* locale handling (CVE-2014-0...
Status: RESOLVED FIXED
Alias: CVE-2014-0475
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A4 [glsa]
Keywords:
Depends on: 544034
Blocks: CVE-2014-5119 CVE-2014-6040 CVE-2014-7817 CVE-2014-9402 CVE-2013-7423 CVE-2015-1472 CVE-2015-8982
  Show dependency tree
 
Reported: 2014-07-11 09:23 UTC by Agostino Sarubbo
Modified: 2016-02-17 15:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-11 09:23:40 UTC
From ${URL} :

Stephane Chazelas discovered that directory traversal issue in locale
handling in glibc.  glibc accepts relative paths with ".." components
in the LC_* and LANG variables.  Together with typical OpenSSH
configurations (with suitable AcceptEnv settings in sshd_config), this
could conceivably be used to bypass ForceCommand restrictions (or
restricted shells), assuming the attacker has sufficient level of
access to a file system location on the host to create crafted locale
definitions there.

Bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=17137

Git commits:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d183645616b
  Related alloca hardening (technically not covered by the CVE assignment)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4e8f95a0df7
  Actual fix

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=58536726692
  Documentation updates

(To backport the new test in a reliable fashion, you need to tweak the
Makefile to set the LOCPATH environment variable.)



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-07-30 03:09:02 UTC
CVE-2014-0475 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0475):
  Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or
  libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand
  restrictions and possibly have other unspecified impact via a .. (dot dot)
  in a (1) LC_*, (2) LANG, or other locale environment variable.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-09-09 23:18:58 UTC
From Upstream:
"08 Septtember 2014
The GNU C Library version 2.20 is now available"
https://sourceware.org/ml/libc-alpha/2014-09/msg00088.html

Maintainer(s): after the bump please let us know when the ebuild is ready for  stabilization.
Comment 3 SpanKY gentoo-dev 2015-02-17 08:11:04 UTC
fix is also in glibc-2.20-r2 now
Comment 4 SpanKY gentoo-dev 2015-02-17 08:11:34 UTC
err, ignore that ... fix is in all 2.20 releases obviously
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2015-02-17 08:57:51 UTC
(In reply to SpanKY from comment #4)
> err, ignore that ... fix is in all 2.20 releases obviously

Indeed, thanks for backporting the fixes for the related (now marked as blocked by this bug)

Please call for stabilization when you consider that the package has gotten appropriate testing and is ready for it.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-02-17 15:37:31 UTC
This issue was resolved and addressed in
 GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02
by GLSA coordinator Tobias Heinlein (keytoaster).