Bugzilla – Bug 887022
VUL-0: CVE-2014-0475: glibc: directory traversal in LC_* locale handling
Last modified: 2015-03-20 06:55:17 UTC
CVE-2014-0475 It was found that glibc suffers from a directory traversal vulnerability when processing paths in LC_* variables. As a result, you can set arbitrary locale specifications in certain environment variables, such as LC_ALL. With certain programs, these environment variables are inherited -- this is particularly a problem for suid programs. A program that runs suid to any other user (including root) could inherit these environment variables and load malicious locale specifications, which could result in the execution of arbitrary code. Certain programs do not use locale specifications (such as mount, su, passwd), and some sanitize environment variables contain certain characters (for instance, if sudo encounters a whitelisted environment variable with '/' in the value, it will unset the environment variable). Other programs may not be as careful with environment variables like this, which could result in arbitrary code execution if they accept such a crafted environment variable that allows for loading arbitrary locale specifications as specified in the environment variable (such as LC_ALL, LC_COLLATE, etc.). References: https://bugzilla.redhat.com/show_bug.cgi?id=1102353 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0475.html http://www.debian.org/security/2014/dsa-2976 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0475
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (887022) was mentioned in https://build.opensuse.org/request/show/240898 Factory / glibc
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-08-15. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58483
Affected packages: SLE-11-SP3: glibc, glibc.i686
SUSE-SU-2014:1027-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 882028,886416,887022 CVE References: CVE-2014-0475 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): glibc-2.11.3-17.68.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): glibc-2.11.3-17.68.1 SUSE Linux Enterprise Server 11 SP3 (src): glibc-2.11.3-17.68.1 SUSE Linux Enterprise Desktop 11 SP3 (src): glibc-2.11.3-17.68.1
Affected packages: SLE-10-SP3-TERADATA: glibc, glibc.i686 SLE-11-SP1: glibc, glibc.i686 SLE-11-SP2: glibc.i686, glibc
openSUSE-SU-2014:1115-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 887022,892073,894553 CVE References: CVE-2014-0475,CVE-2014-5119,CVE-2014-6040 Sources used: openSUSE 13.1 (src): glibc-2.18-4.21.1, glibc-testsuite-2.18-4.21.2, glibc-utils-2.18-4.21.1 openSUSE 12.3 (src): glibc-2.17-4.13.1, glibc-testsuite-2.17-4.13.2, glibc-utils-2.17-4.13.1
This could also be rolled into the current glibc LTSS updates. Andreas, can you still include this?
Which ones are missing?
Created attachment 627167 [details] isolated upstream test case I have isolated the upstream test case https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=4e8f95a0df7 from the test suite (see attached code). When run on 10-SP4 or 11-SP1 before applying the release candidates (tracking SUBSWAMPID: 60839 resp. SUBSWAMPID: 60831) I get: s390vsw136:~ # /tmp/BNC#877022 unexpected setlocale success for "en_US.UTF-8/" locale After applying the mentioned updates from above I get: s390vsw136:~ # /tmp/BNC#877022 Segmentation fault Program received signal SIGSEGV, Segmentation fault. 0x00000200000e5ba0 in mempcpy () from /lib64/libc.so.6 (gdb) where #0 0x00000200000e5ba0 in mempcpy () from /lib64/libc.so.6 #1 0x00000200000974da in __add_to_environ () from /lib64/libc.so.6 #2 0x0000000080000986 in setlocale_fail (envstring=0x200002a3010 "LC_CTYPE=de_DE.UTF-8;LC_TIME=", 'X' <repeats 171 times>...) at /tmp/BNC#877022.c:41 #3 0x0000000080001332 in main (argc=1, argv=0x3ffffb45f38) at /tmp/BNC#877022.c:199 (gdb) up #1 0x00000200000974da in __add_to_environ () from /lib64/libc.so.6 (gdb) up #2 0x0000000080000986 in setlocale_fail (envstring=0x200002a3010 "LC_CTYPE=de_DE.UTF-8;LC_TIME=", 'X' <repeats 171 times>...) at /tmp/BNC#877022.c:41 41 setenv ("LC_CTYPE", envstring, 1); (gdb) list 36 static char *de_locale; 37 38 static void 39 setlocale_fail (const char *envstring) 40 { 41 setenv ("LC_CTYPE", envstring, 1); 42 if (setlocale (LC_CTYPE, "") != NULL) 43 { 44 printf ("unexpected setlocale success for \"%s\" locale\n", envstring); 45 exit (1); (gdb)
Probably fixed by <http://sourceware.org/git/?p=glibc.git;a=commit;h=c63bfa7>.
This is bug#892065.
We fixed bug#892065 only for SLES 11 SP3 so far. As it is unrelated to this bugreport, I would fix it later.
SUSE-SU-2015:0550-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 887022,906371,910599,916222,918233 CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): glibc-2.4-31.117.1
SUSE-SU-2015:0551-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 887022,906371,910599,915526,916222,918233 CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): glibc-2.11.3-17.45.59.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): glibc-2.11.1-0.64.1
remove depedency and resolve