Bugzilla – Bug 678031
VUL-0: CVE-2011-1095: glibc locale escaping issue
Last modified: 2016-11-03 08:19:59 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. CVE-2011-1095 ------------------------------------------------------------------------------ Date: Tue, 8 Mar 2011 12:06:21 +0100 From: Tomas Hoger <thoger@redhat.com> Subject: [oss-security] glibc locale escaping issue Hi! Following glibc upstream and gentoo bug reports describe a bug in the way locale command escapes its output. http://sources.redhat.com/bugzilla/show_bug.cgi?id=11904 http://bugs.gentoo.org/show_bug.cgi?id=330923 Gentoo bug points out possible security implications. I've not managed to find an example where the locale command is used in a problematic way and where this may cross trust boundaries, so I wonder if this is worth handling as security fix vs. security enhancement. Comments are welcome. The issue was fixed in GLSA 201011-01, but its text really only mentions Tavis' issues. -- Tomas Hoger / Red Hat Security Response Team
I think exploit is unlikely since barely anyone uses locale in this way, but I agree that this should be fixed. 11.4 is not affected since it contains glibc that already includes the fix.
(By the way, I have a bit of a hard time thinking of a way how your locale environment might get corrupted in the first place. Anyone can think of an obvious way?)
maybe via sudo or setuid helpers that allow locale settings to pass thru
The SWAMPID for this issue is 39331. This issue was rated as moderate. Please submit fixed packages until 2011-03-28. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
p5->p3 mass change
For the enterprise glibc this was fixed/submitted with: Mon Mar 21 03:53:39 CEST 2011 - pbaudis@suse.cz - Fixed arbitrary code execution in case of passing extremely large strings as fnmatch() parameters [bnc#625835] - Fix setxid() race condition [bnc#645303] - Add baselibs.conf gconv-modules.d generator post block for 32-bit glibc-locale package [bnc#649634] - Fix ld.so namespace race condition [bnc#664541] - Fix writev() return value wrapping around on ppc64 [bnc#673111] - Fix ldd executing loader specified in examined binary [bnc#677787] - Fix locale output not being escaped to be shell-safe [bnc#678031] Back to secteam for patchinfo.
released updates.
Update released for: glibc, glibc-32bit, glibc-debuginfo, glibc-debuginfo-32bit, glibc-debuginfo-64bit, glibc-debuginfo-x86, glibc-debugsource, glibc-devel, glibc-devel-32bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: glibc, glibc-32bit, glibc-64bit, glibc-dceext, glibc-dceext-32bit, glibc-dceext-64bit, glibc-dceext-devel, glibc-dceext-x86, glibc-debuginfo, glibc-devel, glibc-devel-32bit, glibc-devel-64bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-32bit, glibc-locale-64bit, glibc-locale-x86, glibc-obsolete, glibc-profile, glibc-profile-32bit, glibc-profile-64bit, glibc-profile-x86, glibc-x86, nscd Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: glibc, glibc-devel, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-profile, nscd, timezone Products: Novell-Linux-POS 9 (i386) Open-Enterprise-Server 9 (i386) SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)